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ABSTRACT 


State-supported cyber attacks, cyber espionage campaigns, and hacktivist 
movements have forced many states to accelerate their cyber defense development in 
order to achieve at least a minimum level of protection against expanding threats of cyber 
space. As with any other development effort, cyber capability development requires 
resources of time, money, and people, which in most cases are very restricted. To rapidly 
build up “the first line of defense,” enterprises should select the most efficient cyber 
controls and measures. 

This thesis sought out the top 10-20 cyber security controls, where ranking was 
based upon a return on investment (ROI) assessment. This ROI assessment entailed 
consideration of both the likely/expected security benefits of each candidate security 
control (the “R” numerator), and the likely/expected cost associated with each security 
control (the “I” denominator). The primary references for security controls and their 
specifications are NIST Special Publication 800-53, revision 4, “Security and 
Privacy Controls for Federal Information Systems and Organizations,” and publications 
of SANS, NS A, ISACA, the Center of Protection of National Infrastructure, and other 
organizations dealing with cyber security. The selected security controls are presented in 
a standardized form, with sections for description, expected ownership cost, expected 
security provided, and general implementation recommendations. 
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I. 


BACKGROUND 


Cyber space has transformed from merely being a means of communication to 
that of being a key enabler of national security, economy, culture, and science. As with 
almost any other powerful tool, cyber space can be abused by those with malicious 
intentions. The unique features of cyber space, such as its virtual nature and its 
asymmetry of offense/defense aspects, provide advantages if used against opponents. 
State and non-state actors use various cyber related technologies against their opponents 
to achieve or support their military, political, religious, and economic goals. 

Recent geopolitical changes and the transformation of the global security 
landscape have forced many countries and enterprise-level organizations to increase their 
efforts to mitigate constantly evolving cyber threats. From the defender’s side, an 
appropriate cyber security framework is the starting point for all defensive efforts. 
Resource restrictions (e.g., budgets, human resources, time) require very careful selection 
of defensive approaches and their implementation. 

Resource restrictions are the main motivator for this research. The goal of this 
thesis is to form a prioritized list of the most prudent and efficacious security controls 
that can most rapidly form a more robust “first line of defense.” These controls should 
significantly enhance the cyber security of enterprise-level organizations that have 
insufficient resources for the more demanding comprehensive development of cyber 
security capabilities. The selection of controls is based on the return on investment (ROI) 
approach, which prioritizes solutions that provide the most security per unit of time, 
money, or human capital investment. 

A. CYBER: THE FIFTH DOMAIN OF WARFARE 

Leon E. Panetta, the U.S. Secretary of Defense in 2011-2013, during a speech in 
2011 at the Woodrow Wilson Center said: 

Alongside this nuclear danger is an entirely new kind of threat we have to 
be better prepared to confront—the threat of cyber attacks. Cyber space 
has become a major concern as we face large numbers of attacks from 
non-state actors and large nations alike, and the prospect of a catastrophic 
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disruption of critical infrastructure that would cripple our nation. The 
potential to paralyze this country from a cyberattack is very real. [1] 

This quotation harmonizes well with the U.S. Department of Defense (DOD) 
attitude toward cyber space. DOD considers cyber space as the fifth warfare domain [2], 
adding to the four other well-known domains: land, air, sea, and space. Joint Publication 
3-12 “Cyberspace Operations” defines cyber space as a “global domain within the 
information environment consisting of the interdependent networks of information 
technology infrastructures and resident data, including the Internet, telecommunications 
networks, computer systems, and embedded processors and controllers” [3]. The success 
of virtually any modem military operation crucially relies on cyber space as the overall 
information infrastructure that provides the means for the military to gain and maintain a 
strategic advantage. Additionally, cyber space is a vital component of a country’s overall 
economic prosperity and growth. The growing dependency on information technology 
and cyber space makes the various technologies that comprise them one of the biggest 
vulnerabilities of developed countries. 

The vulnerabilities inherent in computer networks, along with highly 
sophisticated cyber attack techniques, present state and non-state actors with alluring 
opportunities to strike entire countries, including critical infrastructure targets. Executive 
Order 13636 defines critical infrastructure as “systems and assets, whether physical or 
virtual, so vital that the incapacity or destruction of such systems and assets would have a 
debilitating impact on security, national economic security, national public health or 
safety, or any combination of those matters” [4]. 

The Internet, the most prominent data exchange infrastructure that we use, was 
not originally designed to maximize security. Originally, it was an open system primarily 
intended to allow scientists and researchers to exchange data with one another quickly. 
Any military, medical, industrial, or other critical infrastructure system that connects to 
the Internet is a potential target for adversaries all around the globe. Despite all efforts to 
make cyber space more secure, it remains vulnerable to high precision, low cost, 
destructive attacks that can adversely affect an entire military operation, endanger 
millions of people, or collapse financial systems. 
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Cyber space is difficult to compare directly with the other four warfare domains, 
which are defined by their physical environment. The virtual nature of cyber space makes it 
borderless. Sean McGurk, Director of the National Cyber Security and Communications 
Integration Center with the U.S. Department of Homeland Security (DHS), has said: 
“There are no international borders and there [are] no oceans to cross” [5]. This distinctive 
feature of cyber space provides three unique benefits to an attacker: little likelihood of 
reprisal, inexpensive offensive capabilities, and asymmetry between offensive and 
defensive efforts. 

Today’s cyber related means, approaches, techniques, and tools provide abilities to 
conduct cyber warfare operations against strategic targets with limited risk to the attacker. 
Attacker risk is limited, in part, owing to the difficulty in distinguishing between system 
failures that are the result of an accidental program or system error and those that are the 
result of intentional malicious activities (attacks). Furthermore, it can be very difficult to 
track the origin of attacks. Attackers can stay anonymous by operating from spoofed 
Internet protocol (IP) addresses and geographically distributed servers. They can also 
exploit compromised and remotely controlled computers to perform attacks with relative 
impunity. 

The availability of relatively inexpensive offensive technologies provides attackers 
with means to rapidly create an offensive potential. No great investments are needed for 
development or usage of fairly advanced offensive cyber tools that can cause significant 
damage and disruption. These aspects of cyber warfare make cyber threats asymmetric. 
General Sir David Richards concludes this point by saying that “[at] relatively little cost, 
unsophisticated opponents with very cheap weaponry can pose a strategic threat” [6]. 
Attackers often need to find only one way to compromise a target; in contrast, defenders 
must contend with and defend all possible attack vectors. This exacerbates the asymmetry 
and requires high-cost solutions and investments by the defender. Moreover, defenders 
have to keep track of developing offensive methods in order to detect and mitigate newly 
developed attacks. 

The National Institute of Standards and Technology (NIST) emphasizes that the 

threat space is expanding and “characterized by the increasing sophistication of cyber 
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attacks and the operations tempo of adversaries” [7]. Tempo, in this context, can be 
characterized as “the frequency of such attacks, the professionalism of the attackers, and 
the persistence of targeting by attackers” [7], according to NIST. 

The division of cyber threat space, proposed by the British Chatham House report 
“On Cyber Warfare,” illustrates the variety of the malicious applications of cyber space. 
According to the report, cyber threats can be assigned to the following six main categories: 

• direct military threats, 

• indirect and non-military threats, 

• terrorism and extremism, 

• cyber espionage, 

• economic cyber crime, and 

• psychological cyber warfare. [8] 

Non-state actors (e.g., terrorist organizations, cyber criminals, and hacktivists), as 
well as state secret services, have adopted cyber attacks and operations as effective tools to 
achieve political, economic, or military goals. Joint Publication 3-12 defines a nation state 
threat as “potentially the most dangerous because of access to resources, personnel, and 
time that may not be available to other actors” [3]. This publication also expresses the 
opinion that other nations can impose threats in the form of cyber attacks and cyber 
espionage. Furthermore, cyber espionage can come not only from adversaries but also from 
allies. 

Past cyber attacks against Estonia, Georgia, Iran, and Ukraine serve as valuable 
examples of power projected via the cyber domain in order to achieve state goals or gain 
advantage in military operations. Russian-associated cyber attacks on Estonian network 
infrastructure in 2007 are the first publicly well-known example of a state-level cyber 
campaign. Dr. Olaf Theiler discusses how this case forced Estonia, and later all of the 
North Atlantic Treaty Organization (NATO), to reconsider the potential impact of cyber 
threats and the vulnerabilities of the cyber domain in general [9]. This paradigm shift 
resulted in the establishment of the NATO Cooperative Cyber Defense Center of 
Excellence in Tallinn. 
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The 2008 Russo-Georgian war is another milestone of conflict in the cyber domain. 
David M. Hollis in his study on this war says that it was the first known example of cyber 
attacks being well-coordinated and synchronized with major combat actions in the other 
warfighting domains [10]. About three weeks before the war began, multiple Russian 
hacker communities started to exploit vulnerabilities of the Georgian Internet 
infrastructure. With the first Russian troops crossing the border of Georgia, multi-vector 
cyber attacks disrupted government and private communications channels normally used 
by the Georgian authorities to communicate with their own people, as well as partner 
countries and other support organizations worldwide. 

The next major historical milestone in offensive cyber activities was the 
deployment of Stuxnet, the malware designed specifically, according to the European 
Agency for Network Information Security’s (ENISA) research, to target industrial control 
systems (ICS) [11] ICS remotely obtains sensor information from valves, pumps, 
transmitters, etc., and delivers proper control signals back to such devices. ENISA 
researchers indicate that the majority of infections were discovered within the Iranian 
telecommunication networks [11]. Nonetheless, the main target of Stuxnet was the uranium 
enrichment plant at Natanz that was involved in the state’s nuclear program. According to 
Paul Mueller and other researchers, Stuxnet’s interference with the plant’s ICS resulted in 
the physical destruction of around 1,000 centrifuges at Natanz [12]. The Stuxnet case is 
considered by many security experts to be the first case involving usage of a cyber weapon 
and the most advanced malware seen on the world stage up to that time [13]. David 
Kushner, in [14], shows that the high level of sophistication, complex architecture, and the 
all-around research effort needed to develop it, are highly suggestive of state-level 
involvement. 

Cyber warfare takes on special significance in the context of so-called hybrid war, 
as in, being an integral component of war. Hybrid, or non-linear, war is the combination of 
conventional warfare with economic, political, cultural, and cyber-oriented operations. The 
Russo-Ukrainian conflict, which started in 2014, is an example of various instruments of 
power applied through cyber space, such as propaganda, denial-of-service (DoS) attacks, 
website defacements, information leaks, and advanced cyber espionage campaigns. Russian 
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special forces, using high-tech operations along with direct physical impact, disrupted 
strategic communication systems during the Crimea occupation in 2014. 

During the operation in eastern Ukraine, Russian signals intelligence operations 
used intercepted-Internet data to locate and target Ukrainian troops. According to security 
researchers, to gather secrets from Ukrainian military and law enforcement officials, the 
Russian Federation has conducted several cyber espionage campaigns [15], [16]. David 
Sanger in [17] indicates that unrelenting cyber espionage campaigns have provided 
Moscow with considerable geopolitical and military advantage in the conflict with Ukraine. 
Snake, also known as Ouroboros or Turla, the cyber espionage malware comparable in its 
complexity to Stuxnet, has exfiltrated high value information from compromised Ukrainian 
government, diplomatic, and defense sector networks. The German security 
company GData, which analyzed the malware, concluded that it originated with Russian 
intelligence agencies that are part of the Russian government’s cyber-weapons program 
[18]. Multiple pro-Russian hacker groups, as well as the Russian government, have 
interfered in the Ukrainian elections, attempted to block the Ukrainian government and 
news websites, and conducted various messaging campaigns against Ukrainian targets. 

B. RISK MANAGEMENT FRAMEWORK (NIST SP 800-37) 

Gijs M. de Vries, the European Union’s anti-terrorism coordinator, has said: “We 
remain vulnerable. There is no such thing as 100 percent security’’ [19]. This quotation is 
well known among cyber security experts, knowing that achieving total cyber security of 
any organizational entity is an impossible task. This idea is a cornerstone of the risk-based 
approach to cyber security. Such an approach takes risk into account as the primary factor 
and considers effectiveness, efficiency, cost, and various legal/policy constraints in order to 
architect a balanced risk mitigation solution. 

The complexity and constant evolution of cyber attacks require a consistent and 
iterative approach to identify, assess, and manage the risks associated with cyber security. 
In this context, according to FIPS-200, risk is considered as all potential threats “to 
organizational operations (including mission, functions, image or reputation), 
organizational assets, individuals, other organizations, and the Nation, due to the potential 
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for unauthorized disclosure, disruption, modification, or destruction of information” [20]. 
The NIST SP 800-30 “Risk Management Guide for Information Technology Systems” 
defines risk management as “the process of identifying risk, assessing risk, and taking steps 
to reduce risk to an acceptable level” [21]. 

The Global State of Information Security Survey 2016, conducted by 
PricewaterhouseCoopers, which covers various enterprise entities in 127 countries, shows 
that 91% of these entities have adopted risk-based security frameworks [22]. A framework 
is a baseline that identifies the main components of such an approach. A cyber security 
framework is a standard designed to assist with managing the confidentiality, integrity, and 
availability of data and critical infrastructure that, in part, depends on that data. The survey 
also indicates that as a result of applying this approach, these entities have been able “to 
identify and prioritize threats, quickly detect and mitigate risks and understand security 
gaps” [22]. A risk-based approach allows better collaboration of cyber security internal and 
external efforts, and helps to design, monitor, and measure cyber security activities. 

The underlying idea is that attempts to apply all possible security controls to every 
IT-asset are impractical, if not impossible, and unsustainable. Resources spent on the 
protection of non-sensitive assets are not only inefficient, but diminish the overall security 
level, as cyber defense staff would likely be overwhelmed by numerous non-critical 
security incidents. Thus, understanding risk helps with the prioritization of cyber assets, 
shows what are the main protection concerns, provides guidance for better protection of 
systems and data, and helps determine what should (or should not ) be invested to protect 
those assets. Jeff Jenkins in his article shows that the value of the risk-driven security 
approach ranges from financial savings (by concentrating security spending on the most 
sensitive assets) to loss mitigation (by keeping efforts primarily focused on responding to 
threats against critical assets) [23]. 

Various frameworks, such as: PCI DSS, ISO 27001, OCTAVE, FAIR, and U.S. 

CERT offer recommendations that are now in use in different counties and enterprise-level 

organizations. The Risk Management Framework developed by the NIST is one of the 

most widely known. This framework provides a structured and flexible way for managing 

the risks related to mission dependency on information systems. This framework presents a 
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risk-based set of standards, security controls, specific details of risk assessment, and 
implementation of a mitigation strategy. It contains answers for typical questions and quick 
start guides that gather information from various NIST publications. The framework also 
provides simple ways to implement the standards and guidelines. According to NIST [24], 
broad-based concepts are used as a common language for addressing and managing cyber 
security risks. 

As shown in Figure 1, this framework captures the concept of the security life 
cycle, based on six key activities in managing enterprise-level risk: categorize, select, 
implement, assess, authorize, and monitor. Each of these key activities is supported by 
associated NIST special publications. For instance Step 2, “Select,” is covered in NIST SP 
800-53 rev4 “Security and Privacy Controls for Federal Information Systems and 
Organizations.” This publication provides a catalog of security controls for mitigating 
information system related risks, as well as recommendations on selecting controls [7]. The 
publication is a cornerstone of this thesis and is discussed in some detail in Chapter III. 
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implementation of full cycle of risk management activities. 


Figure 1. Six Steps of the Risk Management Framework. Source: [24]. 
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Resource Constraints 


Cyber development efforts and activities require appropriate resource allocation. 
The resource constraints mainly include financial constraints, timing constraints, and 
workforce constraints. Yet, in many cases the border between these constraints is not 
independent, as one often affects another. The financial constraints are the most 
influential one, as solving the other two constraints may be tremendously accelerated 
with increased funding. Manpower issues can be solved by using services of a third-party 
company. For instance, time needed to establish a core team of skilled cyber security 
experts may be decreased proportionally to the available financial resources. 
Nevertheless, increased financial resources cannot solve all resource constraints and 
limitations. For example, in some cases, especially those related to military missions, 
time is a crucial resource that cannot be substituted with other types of resources. Further, 
in many military applications, involvement of the third-party company is not an option 
due to classified information or combat situations. 

According to “Security Market Trends and Predictions,” a survey conducted by 
the Institute of Information Security Professionals, 60% of enterprise-level cyber security 
budgets are insufficient to match the level of threats faced, and only 7% of respondents 
stated that security funds were increasing proportionally to, or faster than, cyber related 
threats [25]. Due to limited budgets and evolving cyber threats, cost-effective resource 
utilization that prioritizes the protection of the most crucial assets, while spending less on 
those assets deemed less crucial, is one of the most essential aspects of a cyber security 
development program. Such an approach requires a risk-based selection process to 
identify the cyber security controls likely to deliver the greatest security ROI. 

2. Prioritization of Cyber Assets 

Cyber assets are “programmable electronic devices, including the hardware, 
software, and data in those devices” [26], as defined in the glossary of terms used by the 
North American Electric Reliability Corporation. To efficiently use available resources in 
order to protect its most critical assets, an enterprise-level organization should perform a 
prioritization analysis. For instance, network components, data, and processes need to be 
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prioritized based on their criticality in support of accomplishing mission objectives. 
According to the DOD Cyber Strategy, assessment of risks and hazards and careful 
prioritization of the systems and data to protect is a crucial responsibility of governments, 
companies, and organizations [2]. 

Risk assessments combined with an understanding of risk tolerance can help 
enterprise-level organizations prioritize cyber security activities. To achieve this, they 
have to establish priorities and make decisions through a process of evaluating the 
operational value of data, its sensitivity, possibility of threats, and vulnerability 
assessment of systems components. Besides that, clear identification by cyber defense 
operators of cyber assets critical to support mission priorities is a key to successful 
defense against an overwhelming number of cyber threats. Defenders have to decide and 
act quickly. With overwhelming threats, triage and prioritization should be performed in 
order to make decisions on the response technique to use. As described in a Naval 
Research Laboratory paper, “A Framework for Event Prioritization in Cyber Network 
Defense,” cyber incidents and security events should be triaged based on the potential 
damage they have to important assets and the mission [27]. This enables a better 
protection of critical missions by focusing on high priority events. 

The prioritization of cyber assets and cyber effort is the cornerstone of rapid cyber 
defense development. Rapid development of cyber capabilities is called for when a 
particular organization’s level of cyber security readiness is deemed far less than desired, 
and when an organization faces constraints in resources (financial, time, manpower), a 
systematic approach cannot be used to incrementally build up the cyber security program 
over a longer time frame. With a constantly expanding cyber threat space, along with 
rapidly changing geopolitical and global financial situations, some enterprise-level 
organizations, even entire nations, face new cyber-based threats for which they are ill 
prepared. 

Even though there is a general trend of increasing cyber security efforts, parts of 

this description, with some level of certainty, can be applied to many enterprise-level 

organizations, governmental organizations, and global business entities. According to the 

“2015 Global Cybersecurity Status Report,” issued by the Information Systems Audit and 
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Control Association (ISACA), only 38% of responders stated that they consider 
themselves ready for sophisticated cyber attacks, and 86% answered positively to the 
question “Do you believe there is a shortage of skilled cyber security professionals?” 
[28]. Another research report, the “2015 Cyberthreat Defense Report,” showed that only 
23% of respondents were confident that their organizations had made adequate 
investments in the tools needed to properly monitor their various information technology 
(IT) systems for indications of attack or compromise [29]. For such cases of insufficient 
resources available, careful prioritization of efforts and efficient utilization of constrained 
resources is the only option to protect valuable assets. 

C. RESEARCH APPROACH 

To answer the research question, this work is organized into five chapters. 
Chapter I provides the introductory information regarding this thesis and its goal. Chapter 
II introduces the underlying principles, fundamentals, and best practices involved in 
cyber security. It prepares readers who are unfamiliar with the topic for later discussion 
regarding security controls. Chapter III describes the approaches, structure, and security 
control families as defined by NIST’s Special Publication (SP) 800-53 rev4. Chapter IV 
focuses on forming a prioritized list of the security controls deemed to provide the most 
ROI for rapid cyber security development. Each chosen security control is briefly 
described, and then the rationale is offered for why it was chosen. Chapter V is the 
conclusion. It summarizes the work done and offers suggestions regarding future, follow- 
on work related to this research. 

There are several frameworks, standards, and guidelines covering measures to 
implement in order to increase the level of cyber security. They represent different 
approaches and classifications of this measure and corresponding security controls; 
however, all have in common a systematic approach for obtaining and strengthening 
cyber security capabilities. This approach has proved its effectiveness through the years, 
but it requires the allocation of appropriate resources, which, as discussed earlier, is not 
always possible. To establish an initial, yet significant, line of cyber defense, it is 
necessary to prioritize and implement ROI principles. 
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This research selects those technical or organizational cyber security controls 
most suitable (i.e., maximum “R” per invested “I”) for rapid development of cyber 
defense capabilities with limited resources. The main focus is on analyzing existing 
security controls to determine the investments needed to implement new or enhanced 
cyber defense capabilities, along with the expected security benefits of their 
implementation. This thesis involves the study of the main principles and techniques of 
cyber security, such as the CIA triad (Confidentiality, Integrity, and Availability), the 
principle of least privilege, risk management, the risk equation, return on investment, and 
other “pillars” of cyber security. 

The main effort of this thesis is to analyze existing governmental and private 
sector guidelines or standards that specify measures and technologies intended to mitigate 
cyber threats. The main focus is on security controls. The main criteria to be considered 
are the extent of the expected investment and the expected result (or return) on an 
organization’s cyber security posture after a particular control is incorporated. The 
primary reference for security controls and their specifications is NIST SP 800-53 rev4 
“Security and Privacy Controls for Federal Information Systems and Organizations.” 


12 



II. CYBER SECURITY: UNDERLYING PRINCIPLES, 
FUNDAMENTALS AND BEST PRACTICES 

A. DETERRENCE, PREVENTION, DETECTION, AND RECOVERY 

James LaPiedra, from the System Administration, Networking, and Security 
Institute (SANS), describes information security as a “process that goes through phases, 
building and strengthening itself along the way. Security is a journey not a 
destination” [30]. All the various tools used to achieve cyber security can be grouped 
according to where the functionality of each fits into the defense continuum—deterrence, 
prevention, detection and recovery. The idea of deterrence is to discourage a potential 
attacker from even initiating an attack. When deterrence fails, prevention is the next best 
outcome of an attempted attack. When prevention fails, detection is essential in order to 
inform the affected system owner of its occurrence. And last, recovery takes over once 
detection has occurred, and its activities will seek to restore the normal state of the 
system. None of these can guarantee that an attacker will not succeed in causing some 
form of damage to the targeted system; however, each of them can reduce the number of 
successful breaches and reduce the severity of those that do initially succeed in causing 
some level of damage. All four serve as a manageable cyber defense cycle, providing the 
high-level framework for dealing with ongoing cyber attacks. 

1. Deterrence 

Richard L. Kugler, a well-regarded security analyst, in his work “Deterrence of 
Cyber Attacks” demonstrates that deterrence as a concept of a traditional security theory 
can be imposed on the cyber domain [31]. Deterrence is aimed at discouraging potential 
attackers or policy violators from intentional harmful actions against the system to be 
protected. Deterrence is realized as specially designed constraints that raise the quantity 
of resources needed, time, and the level of expertise needed to perform malicious activity. 
These constraints make a potential attack too difficult or undesirable. Also deterrence 
might be implemented in the form of threat of consequences or potential punishment to a 
violator. All forms of deterrence should influence a potential intruder to give up and not 
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perform malicious activities because the cost or consequences of an attack outweigh its 
desired benefits. 

Thus, any deterrence efforts should include two components. The first one is the 
implementation of effective defensive mechanisms that make malicious activities 
exceedingly difficult. The second component is that of ensuring retaliation for any 
performed attack. This theory was effectively implemented during the Cold War in the 
form of nuclear deterrence. The defensive component was embodied in the deployment 
of sophisticated anti-missile systems. Precise high-orbit satellites and a variety of nuclear 
delivery systems facilitated the retaliation capability/threat. In contrast with nuclear 
deterrence, the cyber realm version of deterrence is somewhat more problematic. The 
anonymous nature of the digital domain results in difficulties and uncertainties of 
identifying the source of a cyber attack. 

2. Prevention 

Prevention aims at blocking malicious activities in their delivery phase, thus 
preventing them from actually causing the intended effects/harm. It is preferable to 
prevent an incident rather than to detect and recover from one. The key idea of prevention 
is modification of a computer system or environment in order to minimize potential ways 
of conducting a cyber attack against this system. 

Establishing reliable prevention mechanisms requires deep system analysis and 
careful planning. The planning should consider both accidental and intentional 
unauthorized modification, destruction, and disclosure of the information stored, 
processed, or transmitted by the system. Prevention is based on establishing and properly 
implementing security policies, controls, and processes. The incident prevention policy is 
the basis on which technical and administrative measures are built. Technical measures 
and controls could be either automated or manual, depending on the security policy and 
available resources for implementation of the policy. 

When preventive controls are implemented, the implementer must carefully 
consider tradeoffs regarding security and usability. Too much prevention can result in 
reduced user productivity, whereas too little prevention can result in system 
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compromises. The Information Security Management Handbook states that an effective 
user awareness program helps to increase users’ tolerance for restrictions posed by 
preventive controls [32]. 

3. Detection 

Detection of a security incident or policy violation is extremely important when 
deterrence and prevention controls do not stop an attacker. The last two are not very 
effective against so-called advanced persistence threats (APT). APTs can be 
characterized with a high level of attacker motivation, skills, and resources. APTs can 
exploit human factors using methods of social engineering that can bypass technical 
defensive measures. Thus, a system should be considered as likely vulnerable to APT. 
Not only APTs but other new or evolving threats can defeat existing preventive controls. 
Thus, reliable detection mechanisms should ensure that when defensive measures fail, the 
indications of the incident will be identified in timely manner so that appropriate 
response actions can be taken. 

The NIST “Guide to Intrusion Detection and Prevention Systems (IDPS)” defines 
an intrusion detection capability as “the process of monitoring the events occurring in a 
computer system or network and analyzing them for signs of possible incidents” [33]. 
Intrusion detection systems (IDS) sensors are usually deployed in various locations 
within a network to provide passive monitoring and threat identification based on 
signatures of known exploits. IDSs inform security personnel when intrusion attempts are 
detected. To distinguish normal system activity from malicious activity, IDSs should be 
properly configured and adjusted to each individual network or system. 

IDSs are usually categorized into two broad groups: network-based IDSs (NIDS) 
and host-based IDSs (HIDS). NIDS monitor traffic and events that occur via packets 
transiting between various devices on the network. HIDS monitor events and application 
activity in the computer system (host) on which it is installed. HIDS, in most cases, is 
implemented as a software agent on the host operating system. 
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4. Recovery 

Recovery controls form mechanisms that ensure availability of all resources 
needed to restore lost computing resources, capabilities, and services caused by a cyber 
incident. Such controls should address the major types of incidents, such as intentional 
malicious activity, unintentional security policy violation, and natural disasters. Recovery 
is based on procedures, techniques, and the appropriate tools that enable rapid backup 
and restoration of a computer system so as to minimize potential losses. 

At some stage, the recovery process should remedy the root vulnerability that 
enabled the incident in the first place. Execution of such corrective remediation may entail 
changes to current administrative or technical controls and will, ideally, prevent similarly 
targeted incidents from happening again. Analysis of incident root causes and the various 
ways to address them are the two main components of any post-incident report. This 
process is an important part of strengthening an organization’s overall cyber security 
posture. With new information regarding the root causes of each incident included in post¬ 
incident reporting, security personnel may leverage this to improve the quality of 
preventive security controls that may have missed attack indicators the first time around. In 
this manner, recovery efforts begin to overlap with prevention activities, which illustrate 
the cyclic nature of deterrence, prevention, detection, and recovery efforts. 

B. CIA TRIAD 

Information security policy within an organization has as its ultimate goal 
protection of three unique information attributes: confidentiality, integrity, and 
availability. These attributes are also known as the “CIA triad,” considered as the most 
important conceptual model of information security and cyber security. 

1. Confidentiality 

The Federal Information Security Management Act of 2002 (FISMA) defines 
confidentiality as “preserving authorized restrictions on information access and 
disclosure, including means for protecting personal privacy and proprietary information” 
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[34] . This means that information should only be seen by authorized entities. Loss of 
confidentiality is a result of the unauthorized disclosure of information. 

In computer systems, data encryption is a widely used approach for protecting 
confidentiality. Authentication, followed by authorization, is the standard procedure for 
implementing security controls intended to provide the information security objective of 
confidentiality. These procedures include user authentication based on biometrics, private 
knowledge, or knowledge/possession of secrets (e.g., passwords). As additional 
precautionary measures, system designers should strive to minimize the exposure of 
sensitive information by constraining it to appropriately secured devices, networks, and 
cryptographic mechanisms. 

2. Integrity 

Integrity is defined as “guarding against improper information modification or 
destruction, and includes ensuring information non-repudiation and authenticity” [34]. 
Through the entire life cycle of information, steps must be taken to insulate information 
from unauthorized modification or destruction as they result in a loss of integrity. 
Gopalan Sivathanu from Stony Brook University classifies integrity violations in three 
groups: hardware and software errors, malicious intrusions, and inadvertent user errors 

[35] . Measures taken to ensure the integrity of information and information systems 
maintain the trustworthiness and accuracy of data. This information security objective 
can be achieved using encrypted checksums. Various types of data backup schemes can 
restore the correct information state in case of a data compromise and, in this way, help to 
maintain the integrity of the data. 

3. Availability 

The third critical information security objective is availability. According to 

FISMA, availability is defined as “ensuring timely and reliable access to data and use of 

information” [34]. FISMA also indicates that “the disruption of access to or use of 

information or an information system” [34] results in a loss of availability. Methods to 

maintain availability include consistent hardware maintenance and performing necessary 

system upgrades, for both hardware and software. High-availability clusters and hardware 
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redundancy can minimize losses caused by hardware failures. Occurrences of 
communication bottlenecks can be mitigated by providing more bandwidth and having 
reserve backbone connections for use when main channels are at full capacity. 
Geographically isolated backup storage and service providing facilities can help to 
maintain availability in case of natural disasters such us floods, fires, or tornados. 
However, since attackers have myriad ways to break correct functional processes, 
availability is the most difficult security objective to guarantee. 

C. RISK EQUATION 

As has been addressed previously, risk management is the key managerial activity 
needed to ensure security resources are applied in the most efficacious manner, taking 
into account relative measures of risk and economic constraints. It establishes a common 
approach to identify and assess potential threats and vulnerabilities. It provides ways to 
determine what measures are needed for minimizing or avoiding the identified risk. 
Misunderstanding of risk, or its uncertainty, can lead to negative consequences and 
prevent the application of effective and efficient mitigation measures. 

The Risk equation is a tool used to determine risk. The equation describes the 
relation of four basic security concepts: vulnerability, impact, threat, and security 
controls. Risk can be described as the probability that a threat will exploit a 
vulnerability to cause negative impact to the system or an asset. This probability can be 
mitigated by security controls. Naval Postgraduate School Senior Lecturer John Fulp 
provides the following risk equation that is commonly used in cyber security: 

Risk = (Threat x Vulnerability x Impact) / Security controls [36]. 

As we can see from the equation, if any one of the three components in the 
numerator is zero, then the risk “product” is also zero. For instance, if there is no threat, 
then there is no risk, even if high potential impact and severe vulnerabilities exist in the 
system. Thus, risk appears when there are at least some of each: threat, vulnerability, and 
impact. 
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Unfortunately, the world we inhabit and, particularly, the cyber systems we 
operate are rife with targeted threats and innate vulnerabilities; thus, risk is a constant 
reality. The general idea of risk management is to determine potential risk, and then 
reduce it to an acceptable level. In this perspective, cyber security efforts are focused on 
both removing vulnerabilities and applying security controls. Well planned and 
implemented security policies, procedures, and technical solutions can effectively 
mitigate risk. Defensive efforts also should be aimed at the reduction of vulnerabilities by 
performing systematic vulnerability assessments and applying fixes and patches in a 
timely manner. 

D. REDUCING THE TARGET SURFACE AREA 

“Attack surface” is very important concept of cyber security that, when 
understood, can be leveraged to reduce the likelihood that cyber attacks are successful. 
According to Pratyusa K. Manadhata from the Institute of Electrical and Electronics 
Engineers (IEEE), a system’s attack surface can be defined as “the set of ways in which 
an adversary can enter the system and potentially cause damage” [37]. In other words, it 
is the sum of all vulnerabilities that can potentially be exploited. Most cyber attacks start 
by scanning the targeted system in order to discover potential attack vectors. Intuitively 
then, minimization of the attack surface via elimination or reduction of such 
vulnerabilities and vectors will reduce the exposed risk of the system. 

The principal idea behind this concept is the precept that one should enable only 
that minimum system functionality truly necessary for mission accomplishment. Any 
additionally enabled functionality would, according to this concept, only increase the 
opportunities of attacker success. The first step in reducing the attack surface area is an 
improved understanding of one’s network and the various devices and programs running 
within it. Clear understanding of the network architecture, the purpose of all hosted 
assets, along with their condition and status, is a necessary starting point for reduction of 
the attack surface area. All of these efforts, as well as other steps taken to implement the 
least privilege principle, help reduce the “attack surface area” of the system. The 
CompTIA Study Guide explains that the least privilege principle can reduce the attack 
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surface by “eliminating unnecessary privileges that can result in network exploits and 
computer compromises” [38]. 

E. PRINCIPLE OF LEAST PRIVILEGE 

“Least privilege” is a foundational principle for cyber security. The principle of 
least privilege (POLP) represents the practice of providing the least authority/access 
necessary to achieve any required and authorized functionality. NIST SP 800-14 
“Generally Accepted Principles and Practices for Securing Information Technology 
Systems” describes the principle as follows: “least privilege refers to the security 
objective of granting users only those accesses they need to perform their official duties” 
[39]. The principle aims to improve security by limiting the potential negative 
consequences of a security breach (intentional, accident, or error). Least privilege is well- 
known in military circles under the very similar “need-to-know” concept, where users are 
not granted access to sensitive information for which they have no mission-related need. 
Gary McGraw in [40] adds that the least privilege principle also suggests limiting the 
time for any granted access to the minimum necessary. The United States Computer 
Emergency Response Team (US-CERT) observes that careful selection and delegation of 
access rights can reduce the number of possible avenues of attacks [41]. “Least privilege” 
and the corresponding implementations of sufficiently granular access decisions require 
reliable authentication mechanisms. Such mechanisms will ensure that entities requesting 
access to resources are truly who, or what, they are presenting themselves to be. A 
common example of this is a person attempting to execute a privileged system command 
that is reserved only for system administrators. Without a reliable authentication 
mechanism, anyone—not just system administrators—would be able to execute 
privileged commands. 

Reliable authentication also enables system-wide auditing, where important 
actions can be attributed to the person or other entity (e.g., system-to-system actions) that 
initiated them. Such an audit/attribution mechanism should maintain a one-to-one 
correspondence between the actor/entity and whatever manner of identifier is used to 
represent him/her/it in the system. 
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Privileged access rights should be granted to a very small group, and this group 
should be subjected to more strict auditing/accountability standards owing to the added 
severity of damage that their higher privileges facilitate. Furthermore, administrators 
should use their privileged accounts only for tasks that require higher level permissions. 
All other routine, non-critical tasks, like web-browsing or email access, should be done 
using less privileged user accounts. 

The separation of duties helps reduce the consequences of malware infection, 
some networks attacks, and other security incidents. Malware, when activated on a 
system, usually runs with the privileges of the user who activated it. Thus, the malware 
activities initiated under a normal user account have less destructive potential than the 
same malware launched with administrator privileges. This simple but effective approach 
ensures that the impact of an account being compromised will be minimized by the 
limited privileges granted to this account. 

A firewall is, perhaps, the most visible example of a security device (whether 
hardware- or software-based) that can implement a form of “least privilege.” In this 
regard, SANS notes that firewall rules should be configured to permit only 
communication that is required for the proper functioning of permitted services and 
applications [42]. For example, such a rule allows only mail-server protocol traffic (e.g., 
POP3, IMAP, and SMTP) to traverse through the firewall to a public mail server. 

Another example of applying “least privilege” is seen in server, host, and operating 
system “hardening.” Hardened systems should use only system services that are required 
for normal operation; all other services have to be disabled. Disabling unneeded services 
reduces the number of possible attack vectors and vulnerabilities that can potentially be 
exploited. Another aspect of hardening is that of disabling unused user accounts. 

F. FAILURE TO AUTHENTICATE 

One of the fundamental benefits of the Internet is the delivery of data from almost 
any source to almost any destination, without any requirement to validate the authenticity 
of the source. This approach makes the Internet, as we know it, fast, smooth, and easy to 
use. From the other side, however, the lack of source authentication results in a 
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vulnerability that can be taken advantage of by attackers. US-CERT describes a domain 
name server (DNS) amplification attack as a popular form of distributed DoS attack 
(DDoS), which exploits the failure to authenticate [43]. The attack is based on an open 
DNS server that resolves any request it gets without validating the requester’s IP address. 
John Fulp explains the flow of the attack as follows: to perform the attack an attacker 
sends to an open DNS server a specially crafted DNS query request that has its IP source 
address spoofed to match that of the victim’s IP address [44]. The attacker can easily 
send a large, and continuous, volume of such spoofed DNS requests, so as to flood the 
victim’s network bandwidth. In this way the attacker uses vulnerabilities of DNS 
protocols and turns small protocol queries into large amplified responses that can exhaust 
the victim’s resources and cause the denial of service. The mitigation of failure to 
authenticate is obviously the implementation of a reliable authentication mechanism. 

G. REDUNDANCY AND CAPABILITY FOR RESILIENCY 

Resilience is the ability of a system to maintain an acceptable level of service 
when faced with various challenges and faults. David Tipper says that the objective of 
resiliency is to avoid failures, a situation where the network is unable to deliver 
acceptable quality of communication services [45]. In networking, these services provide 
the ability for users to access information when needed. 

The ENISA differentiates four main challenges that can be obstacles to achieving 
resiliency: 

• Infrastructure formed by all hardware and software assets that 
enable network communication, functionality, and operations of computer 
systems, power, and other supportive facilities. 

• Technology platforms represented by protocols, hardware, and software 
implementations. 

• Organizational process. Process here includes but is not limited to 
network management, configuration management, incident response, etc. 

• Organizational continuity includes resources for continuity and resilience, 
technical training, user awareness, crisis communication, and so on. [46] 
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A well-known example of a technology platform challenge would be a DoS attack 
that exploits finite resources of a computer system. DoS and DDoS attacks can paralyze 
entire systems by sending an overwhelming volume of requests that eventually exhaust 
the targeted resource. Resources in computer systems can be divided into three broad 
categories: memory, bandwidth, and processing. Bandwidth DDoS attacks overload a 
communication channel such that no bandwidth is left for legitimate communications. 
This can be done by a bot-net network comprised from many devices (“bots”) connected 
to the Internet and covertly controlled by a “master.” When “masters” control hundreds 
or thousands of “bots,” they are capable of constantly sending a large number of 
apparently legitimate packets to targeted routers, servers, and firewalls. All these targeted 
devices are connected to the Internet by channels with limited bandwidth, and by 
themselves, have limited processing resources and memory with which to deal with the 
large volume of traffic/requests. A Riverhead Networks Whitepaper discusses how as a 
result of such packet-flooding attacks, targets fail under the excessive load and can no 
longer process valid transactions [47]. In a military environment, even a short-term 
disruption in communication services can jeopardize a mission and result in loss of 
human life. In the business sector, such service failures can result in frustrated customers 
and high financial loses. 

On October 21, 2016, a powerful DDoS attack against one of the biggest network 
service providers in the United States caused PayPal, Twitter, Amazon, Reddit, Tumblr, 
Netflix, and more than a hundred other popular websites to be unreachable for several 
hours. Steve Evans in his article indicates that this attack disrupted the functionality of 
Internet-based services along the U.S. West Coast and affected millions of users [48]. 
Famous security technologist Bruce Schneier made a comment on this attack: “the size 
and scale of these probes—and especially their persistence—points to state actors. It feels 
like a nation’s military cyber command trying to calibrate its weaponry in the case of 
cyberwar” [49]. This is an illustrative example of the utilization of cyber attacks on a 
large scale against nation-level infrastructures. 

Cisco explains that the finite nature of system resources, along with the 
distributed sources of DDoS attacks and easily available DoS tools, makes DDoS attacks 

23 



very difficult to defend against [50]. There are various defense methods against various 
attack methods. Protective devices that perform signature matching detection of attacks 
are not very effective against DDoS attacks, as it is difficult to distinguish packets that 
come from a “hot” from those that come from a legitimate user. Another DDoS defense 
approach uses anomaly-based monitoring to detect unusually high volumes of traffic 
coming from a single origin. However, such defensive mechanisms can be eluded by IP- 
spoofing, “a type of impersonation technique, where the attacker transmits packets with a 
forged source IP address rather than its own” [51]. The easiest, although expensive, way 
to defend a system against DDoS attacks is to have redundancy in the resources the 
system uses. Since a denial of service attack is largely an attack against capacity, having 
additional capacity is one way to mitigate disruption in services. Provisioning excess 
bandwidth or having redundant network devices can help to handle extreme surges in 
request demands and mitigate the effects of an attack. 

H. ROI (RETURN ON INVESTMENT) EQUATION 

The Informing Science Institute describes return on investment (or ROI) as “one of 
the most popular performance measurement and evaluation metrics used for evaluating 
existing information systems and making informed decisions on software acquisitions and 
other projects” [52]. The computer security world sometimes uses the related term, return 
on security investment, instead. The metrics are used for evaluating potential investments 
in security solutions in order to compare them and choose those that “deliver the most for 
the least.” The solution with the highest ROI is prioritized. John Fulp expresses [36] the 
return on investment in the formula (Figure 2): 


ROI = 


ExpectedLossBefore* - ExpectedLossAfter* - CostOf_Sec_Control 
ExpectedLossBefore* 


* Relative to application of the security_control 


Figure 2. Return on Investment Formula. Source: [36]. 
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Application of ROI in business and security varies and includes: justification of 
potential investments and acquisition decisions, security solution prioritization, 
evaluation of existing solutions and their post-implementation assessments. Cyber 
security tools do not produce a tangible profit; they are designed to prevent incidents. 
Therefore, return on security investment may be interpreted as a profit that comes from 
saving money that would be spent on overcoming negative consequences of any or all 
realized incidents. However, in cyber security, there exists a myriad of additional 
probabilistic factors that further complicate anything resembling a precise valuation of 
return (i.e., the “R”) in the ROI calculus. 

Quantitative calculation of return on investment is a usual business practice. In 
cyber security, however, the quantitative approach becomes too complex, sometimes 
controversial, and often difficult to understand. For example, most automated security 
solutions may require a certain amount of configuration and adjustments. Such 
customization work can cost many times more than the cost of the initial purchase of the 
non-configured tool itself. Furthermore, in order to function properly, many cyber 
security tools require some kind of subscription or licensing for technical support, 
updates, signatures, and online services. These factors also add a lot of uncertainty to the 
“I” of the ROI calculus. Loss is another factor of uncertainty and guessing. In light of 
constantly evolving threats, rapid development of cyber offensive capabilities can change 
the security landscape tremendously in a short amount of time. What is thought secure 
today, may not tomorrow. In cyber security, ROI can, however, be effectively used in a 
qualitative manner. For instance, the IT industry widely uses several methods, notably: 

• the Operationally Critical Threat, Asset and Vulnerability Evaluation 
(OCTAVE); 

• NIST SP 800-30 revl “Guide for Conducting Risk Assessments”; and 

• Control Objectives for Information and Related Technologies “COBIT 5 for 
Risk.” 

Now that we have an idea regarding some of the main security concepts and the 
notion of ROI as it pertains to the cyber security domain, we are ready to examine, in 
Chapter III, security control fa mi lies from NIST SP 800-53 rev4, with an eye to which 
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security principle(s) they may provide/promote, and what we might expect from them in 
terms of security ROI. Along with the need to discuss the system for which we select 
security controls, we must also discuss the selection and prioritization methodologies. 
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III. CYBER SECURITY CONTROLS 


The Federal Information Processing Standard Publication 199 defines security 
controls as “the management, operational, and technical controls (i.e., safeguards or 
countermeasures) prescribed for an information system to protect the confidentiality, 
integrity, and availability of the system and its information” [34]. 

A. NIST SP 800-53: AN INTRODUCTION 

The National Institute of Standards and Technology develops and promotes the 
standards for industry and federal agencies. In order to support the implementation of the 
FISMA, the NIST Information Technology Laboratory has developed a series of special 
publications regulating various aspects of this matter. NIST SP 800-53 rev4 is a 
consolidated information security framework that provides a comprehensive set of 
security controls, three types of security control baselines, and the methodology and 
guidance for selecting a baseline along with specific security controls [7]. All these tools, 
if implemented correctly, can fundamentally fortify information systems and provide the 
near real-time information needed for risk-management decisions. This publication was 
developed based on a holistic and consistent approach to risk management and cyber 
security. 

To establish a common foundation for cyber and information security, the 
Information Technology Laboratory collaborates and consults with other federal entities, 
including the Office of the Director of National Intelligence, the DOD, and the 
Committee on National Security Systems, in addition to organizations in the private 
sector. Such cooperation ensures a comprehensive expert vetting and systematical review, 
helps to avoid duplication of effort, and increases the overall efficiency of national cyber 
and information security efforts. The SP 800-53 publication is not a compliance, 
“checklist-type,” standard like PCI DSS (The Payment Card Industry Data Security 
Standard) or HIP A A (Health Insurance Portability and Accountability Act of 1996). 
Rather, it is guidance that provides a well-structured catalog of controls needed for 
achieving compliance with most federal information assurance and cyber security 
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standards. Also, this publication does not cover assessment of the correctness of security 
control implementation. Guidelines for performing such “correctness” are represented in 
a separate publication, NIST SP 800-53A “Guide for Assessing the Security Controls in 
Federal Information Systems and Organizations.” 

B. THE SECURITY CONTROL FAMILIES 

NIST SP 800-53 rev4 organizes all security controls into 18 distinct fa mi lies 
based on the general security topic common for controls. All security controls focus on 
the fundamental security approaches and countermeasures. This publication mostly 
contains technology-neutral and policy-neutral controls. In other words, they are not 
tailored to any specific environment or technology. The tailoring process for application- 
specific matters is described in Chapter III of the publication. 

As described in NIST SP 800-53 rev4, adherence to technology- and policy- 
neutral security controls has the following advantages, which encourage organizations to: 

• Focus efforts on the security capabilities needed for mission success and 
the protection of information, irrespective of the information technologies 
used. 

• Analyze each security control for its applicability to specific technologies, 
operational environments, and mission’s objectives. 

• Specify security policies as part of the tailoring process for security 
controls that have variable parameters. [7] 

The Table 1 presents security control families along with a brief description of 
each family’s content. 


Table 1. NIST 800-53 rev4 Security Control Fa mi lies 


Identifier 

Security control 
family 

Controls in 
the family 

Brief description of the family content 

AC 

Access Control 

25 

Contains access control policy and procedures 

Limits access to information and systems 

Provides guidance on defining roles and privileged 
accounts 

AU 

Audit and 
Accountability 

16 

Provides a mechanism to record incidents and security 
policy violations 

Provides guidance for log-collection 

Defines audit review, analysis, protection and reporting 
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Identifier 

Security control 
family 

Controls in 
the family 

Brief description of the family content 

AT 

Awareness and 
Training 

5 

Defines security awareness and training policy and 
procedures 

Describes security awareness program, role-based 
training 

CM 

Configuration 

Management 

11 

Outlines configuration management policy and 
procedures 

Defines system baseline configuration and change 
restrictions 

Describes configuration management plan 

CP 

Contingency 

Planning 

13 

Focuses on contingency planning, training and testing 
Provides controls for system recovery and backup 
procedures, alternate security mechanisms 

IA 

Identification 

and 

Authentication 

11 

Describes identification and authentication (I&A) policies 
and procedures. 

Defines I&A Procedures for different types of users 

Details cryptographic aspects of identification and 
authentication 

IR 

Incident 

Response 

10 

Outlines incident policies and procedures 

Describes incident response planning, training, testing 
Describes incident monitoring, reporting, handling, and 
analysis 

MA 

Maintenance 

6 

Outlines system maintenance policy and procedures 
Describes maintenance tools, personnel aspects 

MP 

Media Protection 

8 

Outlines media protection policy and procedures 

Describes media access, marking, storage, transport, 
sanitization, use, downgrading 

PS 

Personnel 

Security 

8 

Outlines personnel security policy and procedures 

Details personnel screening, termination, transfer, 
sanctions 

PE 

Physical and 
Environmental 
Protection 

20 

Outlines physical and environmental policy and 
procedures 

Describes physical access control, authorization, 
monitoring 

Details support system policies and emergency 
procedures 

PL 

Planning 

9 

Outlines security planning policy and procedures 

Describes system security plan development, update 
Outlines rules of behavior, security architecture, central 
management 

PM 

Program 

Management 

16 

Identifies information security resources, inventory, 
workforce 

Outlines risk management strategy, enterprise 
architecture, critical infrastructure plan 

RA 

Risk Assessment 

6 

Outlines risk assessment policy and procedures 

Identifies security categorization 

Describes vulnerability scanning and monitoring 

CA 

Security 
Assessment and 
Authorization 

9 

Outlines security assessment and authorization policy and 
procedures 

Describes security certification and assessment 

Describes penetration testing 

SC 

System and 
Communications 

44 

Outlines system and communication protection policy 
and procedures 
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Identifier 

Security control 
family 

Controls in 
the family 

Brief description of the family content 


Protection 


Details implementation of protected communication with 
systems 

Identifies various technical aspects of network protection 
mechanisms, boundary protection 

Describes limiting direct hardware access 

SI 

System and 
Information 
Integrity 

17 

Outlines system and information integrity policy and 
procedures 

Describes malware protection, monitoring, and handling 
Identifies information input and output restrictions 

SA 

System and 
Services 
Acquisition 

22 

Outlines system and services acquisition policy and 
procedures 

Describes system development life cycle 

Defines software development, usage control, and 
documentation 


NIST SP 800-53 rev4 divides all security controls into three categories: common 
controls, custom controls, and hybrid controls. Common controls are intended to be used 
throughout an agency for all of its information systems. Custom controls are suited to a 
particular system, or even for an individual device. Hybrid controls have characteristics 
of the previous two categories, and thus such controls are based on common controls but 
have been tailored for a particular system or component [7]. 

Many security controls have control enhancements aimed at increasing the 
effectiveness and strength of the main control. Control enhancements should be 
implemented in conjunction with the main control. Each family starts with the so-called 
“dash-1 control,” which defines policies and procedures required for implementation of 
the various controls included in the family. Many security controls have supplemental 
guidance intended to help define and implement a given security control by providing 
supplemental information. Supplemental guidance does not include any additional 
requirements to the control. 

C. ENVIRONMENTAL SPECIFICS 

This thesis is aimed at determining the top 10-20 security controls that would 
address security gaps of some information systems in order to achieve an acceptable level 
of risk. The information systems (IS) addressed here are those of computer networks 
deployed by military units on their permanent base facilities. The overall purpose of these 
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ISs is considered to be in support of process and exchange of various work-related 
documents and emails, Internet access, and the facilitation of infrastructure for several 
specific administrative applications. It is assumed that these ISs have been designed and 
built from the usability perspective, rather than with significant consideration for 
security. We assume the ISs’ network architectures are based on the domain service 
management model, with a single Microsoft Active Directory Domain Controller that has 
the following characteristics: 

• No group security policies are implemented. 

• No network defense mechanisms are implemented, except regularly 
updated antimalware applications installed on workstations and servers. 

• No security policy enforcement mechanisms are implemented. 

• No workstation centralized management is implemented. 

• No user activity monitoring and audit procedures are implemented. 

From the other side, some security aspects are well handled due to strict military 
organizational policies and procedures. The following aspects are well enforced and 
audited (i.e., no additional security controls required): 

• Physical security matters (e.g., physical access to network assets, video 
surveillance, guards). 

• Personnel security matters (e.g., personnel screening, delegation of 
authorities). 

• Environmental and life support system matters (e.g., electricity, cooling 
and heating, natural disaster). 

• System and service acquisition (e.g., procurement security, vendor 
certification and screening). 

To address the network vulnerability to basic types of attacks that can jeopardize 
a unit’s mission, cyber capabilities should be developed in a short period of time (we 
suggest within six months) so as to facilitate a relatively rapid build-up of the “first line 
of defense.” Environmental specifics render many potential security controls less 
necessary, or less effective than they would otherwise be. The suggested development 
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time of only six months implies that any security controls that are very time consuming to 
implement, or that require extensive personnel training, will be deemed unacceptable to 
the goals of this research. Further filtering is applied for those security controls that are 
very costly in terms of initial investment, maintenance, support licensing, etc. 

Therefore, the security controls for rapid cyber security development in resource 
constrained conditions would be mostly, but not necessarily limited to, fundamental 
preventive security controls that provide some immediate increase in cyber protective 
capability for the given network. According to a Center for Strategic and International 
Studies report, “more than 90% of successful breaches required only the most basic 
techniques” and “ 96% of successful breaches could have been avoided if the victim had 
put in place simple or intermediate controls” [53]. A good example of a security control 
with a very high ROI ratio would be that of deploying a password requirement policy that 
enforces complexity, non-reusability, and change period requirements. Implementation of 
this particular security control would, in most cases, not require deployment of high-end 
equipment, nor entail long and costly technical personnel training, nor the purchasing of 
licenses or other kinds of capital resource investments. However, this simple security 
control addresses a tremendous amount of cyber exploitation techniques and attack 
vectors. The result is a single security control (secure password management) that would 
yield high returns (‘R’) on security, for a relatively low investment (T) of time, money, 
and personnel resources; i.e., a high ROI solution. 

D. INDUSTRY RECOMMENDED STANDARDS 

There are several top-lists of security controls that contain the most effective 
security controls prioritized by highest return. However, these “top-lists” predominantly 
do not consider the investments needed and resource constraints. The desire for rapid 
development of cyber security capabilities in a resource-constrained environment 
requires the selection of security controls with high ROI. We might refer to this approach 
to security control selection as the “quick win” approach. Industry recommended top 
security control lists do not take this ROI issue into consideration; instead, they focus 
completely, or at least predominantly, on the Return (‘R’) numerator. 
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The Return of candidate security controls was assessed based on the various cyber 
security reports, a series of SANS publications “What works case studies,” and other 
materials on success cases. To analyze potential security controls from an investment 
perspective, we used the consistent, industry-standard approach to conduct assessment of 
costs: the “Total cost of ownership” (TCO) approach. Gartner defines TCO as “a 
comprehensive assessment of information technology or other costs across enterprise 
boundaries over time” [54]. To tailor TCO to cyber security technologies, we have 
considered the initial investments and the cost of ongoing maintenance. The initial 
investment in our analysis is presented by the following relative aspects: 

1. cost of equipment or software required to implement a security control; 

2. time needed for implementing a security control (in terms of time for 
deploy of equipment or software, configuring); 

3. time required for training of technical personnel to obtain skills and 
knowledge needed for implementing the security control; and 

4. potential user resistance caused by restrictions introduced by a security 
control. 

Investment in maintenance considers the cost of purchasing annual licenses or 
other investments necessary to operate a security control. Due to various licensing 
policies and support models, maintenance costs can vary significantly, but should never 
be underestimated. According to the Gartner research on this matter, “80% of total IT 
costs occur after the initial purchase” [55]. Also, maintenance costs should take into 
account staff involvement in the ongoing operation of the security control. This 
involvement includes, but is not limited to, periodic audit activities, configuration 
updating and revision control, policy development, and security control review (e.g., 
certification and accreditation). 

The following industry publications and recommendations on security controls 
were analyzed using the aforementioned perspectives: 

“The CIS Critical Security Controls for Effective Cyber Defense” version 6 
developed by the SANS Center for Internet Security (CIS). Published in October 2015. 
This document provides a comprehensive list of actionable guidance to mitigate the most 
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pervasive and dangerous attacks. The list of controls was developed with a focus on the 
most common threats and attack patterns based on the leading cyber threat reports of 
government agencies and the private sector [56]. 

“Strategies to Mitigate Targeted Cyber Intrusions” developed by the 
Australian government’s Cyber Security Operations Center (ASCS), also known as the 
“Australian top 35.” Updated in February 2014. This publication contains an ordered list 
of 35 security controls and provides additional information on relative implementation 
costs and user acceptance levels [57]. 

“10 Steps to Cyber Security” developed by the United Kingdom National Cyber 
Security Center (UK NCSC). Updated in August 2016. This guidance provides high-level 
abstraction strategies on gradually achieving cyber security based on the risk 
management regime [58]. 

“10 Basic Cybersecurity Measures. Best Practices to Reduce Exploitable 
Weaknesses and Attacks” developed by Water Information Sharing and Analysis 
Center Security Information Center (Water-ISAC) in partnership with the DHS Industrial 
Control Systems Cyber Emergency Response Team (ICS-CERT) and the Federal Bureau 
of Investigation (FBI). Updated in June 2015. This document provides a list of ten 
fundamental cyber security recommendations for critical infrastructure systems in order 
to reduce system vulnerabilities and increase robustness against cyber threats [59]. 

“IAD’s Top 10 Information Mitigation Assurance Strategies” developed by 
the Information Assurance Directorate of the National Security Agency (NSA IAD). 
Published in December 2015. This publication, based on the “Brake the attack life cycle” 
approach, provides ten proactive mitigation security controls making networks defensible 
[60], 

To develop a list of the top 10-20 security controls that address the “quick win,” 
high ROI, requirements of this study, and to do so in a methodical way, the analysis of 
the previously identified industry recommended controls and strategies was conducted 
according to the following steps: 
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1. Gather all recommended security controls from the aforementioned 
publications. 

2. Eliminate of duplicates from the gathered list. 

3. Eliminate security controls deemed to have such a high level of 
abstraction (i.e., “Implement network segmentation”) as too difficult to 
actually assess from an ROI perspective. 

4. Eliminate costly and time-consuming security controls (i.e., those with a 
large “I” in the ROI calculus). 

5. Select and prioritize security controls based on their qualitative ROI 
(priority to controls with lower investments). 

This chapter has outlined the goals of the choice of top security controls. It 
presents the environmental specifics of the information system to secure, which in 
general can be described as “properly functioning network with no security cyber security 
implemented.” Also the chapter has presented the selection and prioritization approaches 
along with a short discussion of existing “top-lists” of recommended security controls. 
The next chapter enumerates the top security controls chosen, along with the “R” and “I” 
analysis that led to each being included in the top list. 
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IV. SELECTION OF THE TOP SECURITY CONTROLS 


This chapter presents the 13 security controls that this research believes provide 
the highest security ROI for any country or large enterprise that is trying to make quick 
and significant improvements to their cyber security posture. Each control has a general 
description of the security control or its underlying technologies. Each control is also 
provided with a qualitative estimate of its TCO. This TCO estimate includes; initial 
investments, time needed for the implementation, resources required to maintain the 
security control, potential user resistance, and required training. Moreover, the chapter 
provides a subjective analysis of the potential risk reduction, as a result of implementing 
the security control. Finally, the chapter provides some basic guidance and 
recommendations regarding each control’s implementation. 

A. RESTRICT USE OF ADMINISTRATIVE PRIVILEGES BY 

IMPLEMENTING GROUP SECURITY POLICY 

This is a Prevention security control. 

1. Description 

An administrator account is the most powerful account in the Windows 
environment. Such power is not necessary for most users to perform their duties. 
According to the POLP, this account should be restricted to authorized personnel for very 
specific needs and should not be used on a daily/routine basis. Privileged accounts should 
be used for only for initial system configuration, troubleshooting, maintenance 
operations, conducting local audit, and other such rare operations. 

Most exploitation techniques provide an attacker access to the privileges of the 
attacked account. So, if a user with administrative rights inadvertently launches malware, 
the malware will execute with the same administrative privileges as those of a system 
administrator. With such access, the malware can greatly harm the compromised system, 
and perform additional lateral movement attacks across the network. Besides that, non- 
malicious users with admin privileges could create vulnerabilities in the system as they 

have the ability to modify the system configuration, and install or delete software. 
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2 . 


Justification 


This subsection indicates the position of similar security controls in other top-lists 
and provides justification for selecting this security control based on its ROI. 

a. Position of Similar Security Control in the Industry Recommended 
“Top-lists” 

• 5 th position in the “The CIS Critical Security Controls for Effective Cyber 
Defense” (SANS CIS). 

• 4 th position in the “Strategies to Mitigate Targeted Cyber Intrusions” 
(ASCS). 

• 2 nd position in the “IAD’s Top 10 Information Mitigation Assurance 
Strategies” (NSA IAD). 

• 4 th position in the “10 Steps to Cyber Security” (UK NCSC). 

• 4 th position in the “10 Basic Cyber security Measures. Best Practices to 
Reduce Exploitable Weaknesses and Attacks” (Water-ISAC SIC, ICS- 
CERT, FBI). 

b. Return 

A security report by Avecto states that the most critical Microsoft vulnerabilities 
can be neutralized by removing admin rights: “removing admin rights would mitigate 
98% of critical vulnerabilities affecting Windows operating systems, 95% of critical 
vulnerabilities affecting Microsoft Office and 99.5% of vulnerabilities in Internet 
Explorer” [61]. This security control has the potential to greatly constrain exploitation 
effectiveness. Moreover, according to [62], it makes the operating environment more 
stable, as well as easier to administer and troubleshoot, and less likely that a user may 
make inadvertent changes to his/her system that might introduce additional 
vulnerabilities. 


c. Investment 

• Initial investments—requires no additional equipment or software 
purchasing. 

• Implementation time —short (up to two weeks). Depends on the size of the 
unit (number of users). 
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• Maintenance—does not require paid subscriptions or licenses. Does not 
require significant staff involvement. 

• User resistance—while implementing the control the unit, technical 
personnel might encounter medium user resistance because of losing the 
ability to install software and configure the environment. 

• Personnel training—may require short training time (two weeks) on the 
Active Directory Group Policy configuration for technical personnel 
implementing the security control. 

3. Recommendations 

This security control can be implemented using Windows Group Policy (WGP). It 
is the mechanism that can distribute privilege settings to all workstations where the 
administrative privileges need to be restricted. WGP also provides settings for tracking 
the usage of privileged accounts. 

NIST SP 800-53 rev4 recommendations on policies, procedures, and 
implementation include: 

• AC—2 “Account Management” and 

• AC—6 “Least privilege.” 

B. ENFORCE STRONG PASSWORD POLICY (USER ACCOUNTS AND 

EMAILS) BY IMPLEMENTING GROUP SECURITY POLICY 

This is a Prevention security control. 

1. Description 

A password is typically a secret string of characters that a claimant uses to 
authenticate its identity, as stated in [63]. Passwords are used to protect access to 
information, operating systems, hardware, and applications. A password is, in effect, a 
“key to the fortress.” A weak password is a portal for many exploitation techniques and 
can significantly decrease or even bring to naught other security controls and defense 
efforts. 

The longer a user uses the same password, the greater the risk that an attacker 
might discover the password using brute force attacks. Moreover, Microsoft indicates that 
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compromised accounts remain exploitable until the next password change [64]. 
Therefore, enforcement of this security control should consider the following aspects: 

• restricting reuse of passwords (password history); 

• setting maximum password age; 

• setting minimum password length; and 

• ensuring passwords meet complexity requirements. 

2. Justification 

This subsection indicates the position of similar security controls in other top-lists 
and provides justification for selecting this security control based on its ROI. 

a. Position of Similar Security Control in the Industry Recommended 
“Top-lists” 

• 3 rd position in the “The CIS Critical Security Controls for Effective Cyber 
Defense” (SANS CIS). 

• 25 th position in the “Strategies to Mitigate Targeted Cyber Intrusions” 
(ASCS). 

• 7 th position in the “IAD’s Top 10 Information Mitigation Assurance 
Strategies” (NSA IAD). 

• 2 nd position in the “10 Steps to Cyber Security” (UK NCSC). 

• 5 th position in the “10 Basic Cybersecurity Measures. Best Practices to 
Reduce Exploitable Weaknesses and Attacks” (Water-ISAC SIC, ICS- 
CERT, FBI). 

b. Return 

If a password complexity policy is not enforced, users will likely resort to 
selecting low-entropy passwords that are short and easy to remember. Such simple 
passwords are very easy to crack using automated dictionary or brute force attacks. 
Research by CynoSure Prime on 11.7 million cracked passwords shows that about 80% 
of them were not compliant with most industry recommendations and standards 
pertaining to password selection [65]. The research also shows that 78.6% did not match 
complexity requirements (e.g., contained only lower case letters) and 68.4% were too 
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short (e.g., fewer than eight characters) [65]. Another study by TeleSign shows that 47% 
of users use a password that is at least five years old [66]. Strong passwords can mitigate 
password cracking and guessing attacks, and reduce the risk of compromise of 
applications using password-based authentication. 


c. Investment 

• Initial investments—requires no additional equipment or software 
purchasing. 

• Implementation time— very short (two days). 

• Maintenance—does not require paid subscriptions or licenses. Does not 
require significant staff involvement. 

• User resistance—while implementing the control, the unit technical 
personnel might encounter medium user resistance due to usability 
disadvantages related to complex passwords. 

• Personnel training—requires no additional training for technical personnel 
implementing the security control. 

3. Recommendations 

This security control for operating system accounts can be implemented using 
WGP. Enforcement of password policy for email accounts might be implemented through 
the configuring of the email server or application. 

NIST SP 800-53 rev4 recommendations on policies, procedures, and 
implementation include IA-5 “Authenticator Management.” 

Related publications and resources include: 

• NISP SP 800-118 “Guide to Enterprise Password Management (Draft)” 
and 

• Microsoft TechNet publication “How to Configure Security Policy 
Settings.” 

C. ESTABLISH BASIC BOUNDARY DEFENSE BY DEPLOYING 

NETWORK INTRUSION PREVENTION SYSTEM 

This is a Preventive and Detection security control. 
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1. Description 

The network intrusion detection/prevention system is an enterprise security 
technology that identifies suspicious network events, then logs them, blocks them, and— 
optionally—sends a notification to a security administrator, as defined in [33]. It works 
by analyzing inbound and outbound network traffic using deep packet inspection. Unlike 
many firewalls, which only analyze packet headers and filter traffic based solely on 
protocol, network addresses and ports; an intrusion prevention system (IPS) analyzes a 
packet’s headers and payloads, looking for indicators of real or potential malicious 
activity. That is why, topologically, an IPS is usually deployed after a network firewall. 
In such a scheme the firewall performs an important role of pre-filtering traffic before the 
IPS, which might otherwise be overwhelmed by a high volume of extra traffic. 

One of the advantages of an IPS is that deployment of it usually does not require 
drastically changing existing network architecture. IPS deployment in the network 
topology is sometimes referred to as “bump in the wire.” This implies that the IPS can be 
“inserted” on the network path (“wire”) without having to make any configuration 
updates/changes to any other devices in the protected network. Another benefit of most 
modem IPSs is that they can perform threat prevention without extensive initial 
configuration. This is made possible by simply employing some or all of the many filter 
signatures that are made available by the vendor. Of further benefit is the fact that the 
update of these signatures are typically included as part of the licensing of the product. 
Further tailoring and creation of custom rules can further the effectiveness of an IPS, and 
decrease the occurrence of false-positives and false-negatives. However, such customized 
tuning requires some depth of technical understanding, by the rule developer, of the 
application and services used, normal network behavior, and other environmental 
specifics. 

2. Justification 

This subsection indicates the position of similar security controls in other top-lists 
and provides justification for selecting this security control based on its ROI. 
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a. Position of Similar Security Control in the Industry Recommended 
“Top-lists” 

• 12 th position in the “The CIS Critical Security Controls for Effective 
Cyber Defense” (SANS CIS). 

• 33 rd position in the “Strategies to Mitigate Targeted Cyber Intrusions” 
(ASCS). 

• 10 th position in the “IAD’s Top 10 Information Mitigation Assurance 
Strategies” (NSA IAD). 

• 3 rd position in the “10 Steps to Cyber Security” (UK NCSC). 

• 2 nd position in the “10 Basic Cybersecurity Measures. Best Practices to 
Reduce Exploitable Weaknesses and Attacks” (Water-ISAC SIC, ICS- 
CERT, FBI). 

b. Return 

According to the Symantec study, “IPS protects against a wide range of security 
issues, which includes vulnerabilities, zero day exploits, exploit kits (EK), social 
networking threats, command and control (C&C) activities (back doors and botnets), 
online scams, malvertising, phishing, and many more” [67]. Furthermore, IPSs can also: 

• identify reconnaissance activity, detecting scans, and probes; 

• provide incident log information for incident investigation; 

• identify potential violations of an organization’s security policies; 

• block specified application traffic; and 

• prevent data exfiltration and monitor file transfers. 

The IPS provides an additional layer of network defense and can potentially 
detect and block malicious activities that lesser-capable firewalls may not detect. 
According to the latest exhaustive tests of IPS solutions, security effectiveness ranged 
from 24.9% to 99.9% [68]. These tests covered the eight most popular, as of 2016, 
network IPSs, and included 1,986 exploits and 120 evasion techniques. In this research, 
the security effectiveness was based on a comprehensive score that included both exploit 
detection rates, and resistance to known evasion techniques. Along with this, a network- 
based intrusion prevention system (NIPS) can be used to troubleshoot network problems 
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or measure and document typical network traffic and patterns; which can be valuable for 
statistics-based anomaly detection analysis. 

c. Investment 

• Initial investments—requires purchasing and deployment of several NIPS 
devices. 

• Implementation time— medium (up to four weeks). 

• Maintenance—requires paid subscriptions or licenses. Requires medium 
24/7 staff involvement for monitoring security events and NIDS reports. 

• User resistance—while implementing the control, technical personnel 
likely encounter low user resistance, as it does not affect user experience 
and usability. 

• Personnel training—may require a vendor-specific short-time training 
(two weeks) on the NIPS deployment, initial configuration, and tuning for 
technical personnel implementing the security control. 

3. Recommendations 

The IPS can be implemented as software or hardware. Typically IPS 
infrastructure consists of network sensors, an administrator console with a graphical user 
interface, and possibly an analysis and database server. Placement of an IPS mostly 
depends on network architecture, services provided, and available sensors. However, it is 
prudent to place it behind a screening firewall that is denying all traffic that is not 
essential to business or operations. Doing so should reduce the workload of the IPS and 
reduce the possibility of it becoming a network bottleneck. To detect, localize, and 
prevent propagation of attacks inside of the network, the IPS should be placed on the 
network segments’ borders (i.e., entry-/exit-points). 

NIST SP 800-53 rev4 recommendations on policies, procedures, and 
implementation include: 

• SI-4 “Information System Monitoring” and 

• SC-7 “Boundary protection.” 

Related publication—NIST SP 800-94 “Guide to Intrusion Detection and 
Prevention Systems (IDPS).” 
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D. DEVELOP BASIC RECOVERY CAPABILITY BY PERFORMING 

REGULAR BACKUP OF SERVERS 

This is a Recovery security control. 

1. Description 

From a CIA-triad perspective, backups can help to maintain availability of data. 
In many areas, and specifically in military operations, data is the most valuable asset of a 
computer system. Unlike, for instance, an operating system that can be easily (relatively) 
reimaged or reinstalled, mission crucial data, if not backed up, are very difficult to 
recreate. Back up, in general terms, means to create copies of information and store it in a 
secure location that is sufficiently separated/isolated from the original data source. The 
degree of separation/isolation, and the complexity of the duplication (e.g., RAID, remote 
site, journaled, full- vs. differential-backup, etc.) can be determined by rather simple 
impact analysis. Such analysis would consider the potential harm to the organization’s 
mission or business should certain data be lost. The investment made in the back up 
capability should then be in direct proportion to the determined potential harm. This is a 
straight-forward application of risk management. 

It is essential to have backups of important information, as such data can be 
physically destroyed, logically destroy data (e.g., deleted), encrypted by ransomware, or 
lost due to some natural disaster; among other possibilities. For instance, Backblaze’s 
research shows that 22% of hard drives experience a hard crash in the first four years of 
utilization [69]. Another study claims that “hardware or system failure accounts for 78% 
of all data loss” [70]. After such incidents, whether intentional or accidental, it is 
relatively easy to restore information from backups, if such backups are available. Having 
such backups readily available would significantly reduce the harm caused by any 
incident that involved the destruction of data. 

2. Justification 

This subsection indicates the position of similar security controls in other top-lists 
and provides justification for selecting this security control based on its ROI. 
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a. Position of Similar Security Control in the Industry Recommended 
“Top-lists” 

• 10 th position in the “The CIS Critical Security Controls for Effective 
Cyber Defense” (SANS CIS). 

• Not included in the “Strategies to Mitigate Targeted Cyber Intrusions” 
(ASCS). 

• Not included in the “IAD’s Top 10 Information Mitigation Assurance 
Strategies” (NSA IAD). 

• Not included in the “10 Steps to Cyber Security” (UK NCSC). 

• Not included in the “10 Basic Cybersecurity Measures. Best Practices to 
Reduce Exploitable Weaknesses and Attacks” (Water-ISAC SIC, ICS- 
CERT, FBI). 

b. Return 

Return on this security control can be expressed in terms of potential harm 
mitigated by data recovery. For example, according to business statistics, “93% of 
companies that lost their data center for 10 days or more due to a disaster filed for 
bankruptcy within one year of the disaster. 50% of businesses that found themselves 
without data management for this same time period filed for bankruptcy immediately” 
[71]. In the military sphere, the ability to restore corrupted data in a timely manner can be 
a key factor for mission success. Even organizationally and technically simple methods 
of full disk imaging backup can mitigate dozens of devastating scenarios when cmcial 
data are lost. This simple approach has very low upfront cost due to cheap storage 
memory, but has very high return in terms of fast restoration of valuable data lost. 

c. Investment 

• Initial investments—requires purchasing and deployment of network data 
storage. 

• Implementation time— very short (two days). 

• Maintenance—does not require paid subscriptions or licenses. Requires 
low staff involvement. 


46 



• User resistance—while implementing the control, technical personnel will 
likely encounter low user resistance, as it does not affect user experience 
and usability. 

• No additional training is required for technical personnel implementing the 
security control. 

3. Recommendations 

At minimum, primary servers providing core services should be backed up at least 
once per week. As a starting technique, external low-cost storage can be used to store 
copies of servers’ hard drives. Various open-source software or software provided with 
hardware solutions can be used to automate this process. The following recommendations 
of the Massachusetts Institute of Technology should be considered for backup 
enhancement. 

• Encrypt backups that contain sensitive data. 

• Keep extra backups off-site in a secure location (in case of property 
damage). 

• Verify your backups to make sure files are retrievable. 

• Sanitize or destroy your backups (e.g., tapes, CDs) before discarding 

them. [72] 

NIST SP 800-53 rev4 recommendations on policies, procedures, and 

implementation include: 

• CP-9 “Information System Backup” and 

• CP-10 “Information System Recovery and Reconstitution.” 

Related publication and resources include: 

• NIST SP 800-34 revl “Contingency Planning Guide for Federal 

Information Systems” and 

• Microsoft TechNet publication “Backing Up Your Server.” 

E. MITIGATE GENERIC EXPLOIT TECHNIQUES BY DEPLOYING 

ENHANCED MITIGATION EXPERIENCE TOOLKIT 

This is a Prevention and Detection security control. 
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1. Description 

Many operating systems provide anti-exploitation features that monitor running 
applications for common exploitation techniques. In the Windows environment, the most 
used tool set for the operating system (OS) generic exploit mitigation is the Enhanced 
Mitigation Experience Toolkit (EMET). According to the “IAD’s Top 10 Information 
Mitigation Assurance Strategies,” EMET can provide “fundamental protection against 
common classes of exploitation used as building blocks of zero day attacks” [60]. This 
free security tool, distributed by Microsoft, can make system flaws very hard to exploit. It 
focuses on breaking exploitation techniques by applying mitigation technologies (e.g., 
injecting an EMET.dll into running executables) to applications. When EMET detects an 
attempt to exploit running application, it shuts down the attacked application and notifies 
the user. EMET is not application specific, and works even with legacy software. 
Functionally, the EMET provides vulnerability mitigation after the firewall and before 
antimalware application. Security tools like Address Space Layout Randomization 
(ASLR) and Data Execution Prevention (DEP), included in the EMET, significantly 
reduce the attack surface of an operating system and the individual applications running 
on it. EMET is constantly evolving and has more security tools included. Additionally, 
EMET can identify the processes that are not using DEP, and can then enable it on the 
process’ underlying application, without having to recompile the application. 

ASLR can prevent many exploitation techniques by randomizing the location of 
data in memory. ASLR makes the layout of applications’ address space different on all 
workstations. As a result, an attacker cannot make logical assumptions about a targeted 
object’s (i.e., code) location in memory. DEP prevents exploitation techniques based on a 
direct injection and execution forged programming code from locations of memory 
intended for data. 

2. Justification 

This subsection indicates the position of similar security controls in other top-lists 
and provides justification for selecting this security control based on its ROI. 
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a. Position of Similar Security Control in the Industry Recommended 
“Top-lists” 

• 8 th position in the “The CIS Critical Security Controls for Effective Cyber 
Defense” (SANS CIS). 

• 7 th position in the “Strategies to Mitigate Targeted Cyber Intrusions” 
(ASCS). 

• 5 th position in the “IAD’s Top 10 Information Mitigation Assurance 
Strategies” (NSA IAD). 

• 7 th position in the “10 Steps to Cyber Security” (UK NCSC). 

• Not included in the “10 Basic Cybersecurity Measures. Best Practices to 
Reduce Exploitable Weaknesses and Attacks” (Water-ISAC SIC, ICS- 
CERT, FBI). 

b. Return 

Generic exploit mitigation tools can provide an additional layer of defense against 
common exploitation techniques and malware attacks. According to the latest Microsoft 
research on EMET effectiveness against the most popular application used with Windows 
operating systems, EMET drastically reduces the exploits’ effectiveness on Windows XP. 
From 184 application exploits collected from the company’s customers worldwide, only 
21 exploits succeeded on Windows XP protected by EMET [73]. Figure 3 shows the 
results of the study. 
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The Risk Management Framework provides a disciplined and structured process that 
integrates information security and risk management activities into the system 
development life cycle. Source: Microsoft’s Free Security Tools - Enhanced Mitigation 
Experience Toolkit. 

Figure 3. The Effectiveness of 184 Exploits for Popular Applications on 

Windows XP, Windows XP with EMET Deployed, and Windows 7. 

Source: [73]. 



c. Investment 

• No additional equipment or software purchasing is required. 

• Implementation time —short (up to one week). 

• Maintenance—does not require paid subscriptions or licenses. Does not 
require significant staff involvement. 

• User resistance—while implementing the control, technical personnel will 
likely encounter low user resistance, as it does not affect user experience 
and usability. 

• No additional training is required for technical personnel implementing the 
security control. 

3. Recommendations 

EMET starting with version 3.0 has integrated functionality for enterprise 
deployment and centralized configuration. The deployment can be performed through the 
use of Group Policy or System Center Configuration Manager (SCCM). These 
technologies also enable large-scale enterprise configuration and monitoring. 
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NIST SP 800-53 rev4 recommendations on policies, procedures, and 
implementation include SI-3 “Malicious code protection.” 

Related publication include the “Enhanced Mitigation Experience Toolkit 
(EMET) 5.52 User Guide.” 

F. ENHANCE END-POINT SECURITY BY DEPLOYING HOST 

INTRUSION PREVENTION SOLUTION 

This control is Prevention and Detection security control. 

1. Description 

A host intrusion prevention system (HIPS) is often used as an additional layer of 
protection for an individual device: workstation or server. HIPS can be integrated with an 
antimalware solution, or can be deployed as a separate dedicated solution. In contrast 
with antimalware software, which works by comparing machine code to the known 
malicious code patterns (signatures), HIPS can stop malware and other malicious 
activities by monitoring the behavior of the running processes. In this way, HIPS can 
provide a certain level of protection against unknown “zero day” threats, as a HIPS does 
not depend on specific threat signatures. 

2. Justification 

This subsection indicates the position of similar security controls in other top-lists 
and provides justification for selecting this security control based on its ROI. 

a. Position of Similar Security Control in the Industry Recommended 
Top-lists” 

• 8 th position in the “The CIS Critical Security Controls for Effective Cyber 
Defense” (SANS CIS). 

• 8 th position in the “Strategies to Mitigate Targeted Cyber Intrusions” 
(ASCS). 

• 6 th position in the “IAD’s Top 10 Information Mitigation Assurance 

Strategies” (NSA IAD). 

• 7 th position in the “10 Steps to Cyber Security” (UK NCSC). 


51 



• 4 th position in the “10 Basic Cybersecurity Measures. Best Practices to 
Reduce Exploitable Weaknesses and Attacks” (Water-ISAC SIC, ICS- 
CERT, FBI). 

b. Return 

HIPS can substantially enhance protection of the end-user workstations and 
servers by adding an additional layer of defense to signature-based antimalware. The 
HIPS can mitigate various host-aimed threats and intrusion activities typically 
undetectable by traditional antimalware. One of the biggest benefits of HIPS, is that 
unl ik e NIPS, it can be customized to an individual system. Such customization can take 
into account the specifics of the workstations or servers with respect to the applications 
installed, services provided, user roles, etc. This, in turn, can decrease the rate of false 
positive alerts. Most HIPS also provide defenders with the means to create custom rules 
that can help to localize and eradicate recently discovered threats and exploits. HIPS can 
be an effective tool for the detection of APT activities in the network based on the hosts’ 
alerts. Along with this, HIPS can detect attacks that use encrypted traffic; whereas a NIPS 
solution could not. 

c. Investment 

• Initial investments—requires purchasing software. Some solutions may 

require deploying a dedicated update server. 

• Implementation time— medium (up to four weeks). 

• Maintenance—requires paid subscriptions or licenses. Does not require 
significant staff involvement. 

• User resistance—while implementing the control, technical personnel will 
likely encounter low user resistance, as it does not affect user experience 
and usability. 

• Personnel training—requires no additional training for technical personnel 
implementing the security control. 

3. Recommendations 

To reduce the TCO, the HIPS should be integrated with the antimalware solution 
where the environment allows it. Using an integrated solution (HIPS + antimalware) 
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instead of two separate solutions will decrease investments needed for purchasing end¬ 
point security solutions. It also reduces the involvement of staff in terms of the security 
controls deployment, configuration, and monitoring. A HIPS integrated with antimalware 
software or end-point protection suites provides basic functionality, but is relatively easy 
to deploy. 

In the case where a separate, non-integrated, HIPS solution is used, it can be 
remotely deployed using the WGP. Dedicated HIPS solutions usually provide more 
advanced functionality and better protection. However, we do not recommend using them 
for rapid cyber capability development. Because dedicated HIPS in most cases will 
require higher investments. Along with this, they might require significant effort, 
knowledge, and skills for tailoring and further tuning. Also, some dedicated HIPS might 
not be compatible with antimalware installed on the host. 

NIST SP 800-53 rev4 recommendations on policies, procedures, and 

implementation include: 

• SI-4 “Information System Monitoring” and 

• SI-3 “Malicious code protection.” 

Related publications include NIST SP 800-94 “Guide to Intrusion Detection and 
Prevention Systems (IDPS).” 

G. CONTROL SOFTWARE EXECUTION BY IMPLEMENTING 

APPLICATION WHITELISTING 

This is a Prevention security control. 

1. Description 

NIST defines an application whitelist as “a list of applications and application 
components (libraries, configuration files, etc.) that are authorized to be present or active 
on a host according to a well-defined baseline” [74]. Software whitelisting is a proactive 
security technique that allows users to run only approved software and prevents execution 
and installation of all other applications on the system. Software whitelisting technologies 
and control programs are intended to prevent the execution of malicious code or any 
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other unauthorized applications. Unlike antimalware programs, which implement 
blacklisting (i.e., block known harmful operations and permit any other), software 
whitelisting helps to reduce the target surface area by not even allowing the possibility of 
code to run, when that code is associated with applications deemed non-essential to an 
organization’s mission. 

A whitelist should include software necessary for the user to perform assigned 
duties. Each application increases the system’s attack surface by introducing potential 
security flaws. Therefore, the whitelist should be as narrow as possible and carefully 
developed in adherence with the POLP. This security control is a very effective tool for 
blocking malware execution. However, some infection techniques can evade whitelisting 
by malicious memory injections, interpreted code, Java shell code or macros, and kernel- 
level attacks. Nevertheless, as stated in [75], software control, in most cases, can prevent 
morphing of the initial compromise into a situation in which the malware or attacker 
obtains full control. 

Computers without software whitelisting mechanisms implemented are more 
likely to be infected by malware and to violate copyright laws, by running software that is 
unnecessary to mission tasking. Attackers often use infected computers as a staging point 
for further propagation into the network. This includes, but is not limited to, collecting 
sensitive data from exploited workstations, servers, and network devices, and launching 
attacks against other systems connected to compromised ones. This, according to SANS, 
can lead to turning one compromised computer into many [56]. 

2. Justification 

This subsection indicates the position of similar security controls in other top-lists 
and provides justification for selecting this security control based on its ROI. 

a. Position of Similar Security Control in the Industry Recommended 
“Top-lists” 

• 2 nd position in the “The CIS Critical Security Controls for Effective Cyber 
Defense” (SANS CIS). 
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• 1 st position in the “Strategies to Mitigate Targeted Cyber Intrusions” 
(ASCS). 

• 1 st position in the “IAD’s Top 10 Information Mitigation Assurance 
Strategies” (NSA IAD). 

• 7 th position “10 Steps to Cyber Security” (UK NCSC). 

• Not included in the “10 Basic Cybersecurity Measures. Best Practices to 
Reduce Exploitable Weaknesses and Attacks” (Water-ISAC SIC, ICS- 
CERT, FBI). 

b. Return 

In the Gartner report on protection of endpoints by application control, application 
control is described as “a very effective method to block malware-based attacks, 
including new and targeted attacks, malicious insider attacks and dangerous user 
behavior” [75]. According to the report, control of whitelisting software execution has the 
following advantages: 

• Reduces the frequency and severity of malware incidents. 

• Detects potential insider threats or user policy violation attempts (for 
instance, downloading hacking tools, attempts to load unauthorized 
applications). 

• Blocks unwanted potential backdoor applications not detectable by 
antimalware. 

• Reduces vulnerabilities by limiting software sprawl (that is, multiple 
browsers and related plug-ins, Adobe/browsers on servers). 

• Blocks common malware techniques and indicators of compromise (for 
instance, no execute from trash bin, no double extensions, and no header 
extension mismatches). 

• Provides incident response and investigation capabilities, such as a search 
of all workstations with certain executable files, removal of unwanted or 
malicious software already installed, and blocking newly discovered 
malware before corresponding blocking signatures become available. [75] 

c. Investment 

• Initial investments— no additional equipment or software purchasing 
required. 
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• Implementation time— medium (up to four weeks). Depends on variety of 
software used in the unit, variety of employee roles and needs, use of the 
uncommon applications. 

• Maintenance—does not require paid subscriptions or licenses. Requires 
medium staff involvement. 

• User resistance—while implementing the control, the unit technical 
personnel might encounter medium user resistance due to losing the ability 
to install software and run unspecified software. 

• Personnel training—requires no additional training for technical personnel 
implementing the security control. 

3. Recommendations 

Software whitelisting can be implemented using MS Windows built-in tools 
(Software Restriction Policies and AppLocker), application execution tools that come 
with antimalware software or by implementing more expensive commercial whitelisting 
tools. Along with that, many of today’s endpoint security suites, personal firewalls, and 
host intrusion detection systems provide features performing pre-launch checks of an 
application’s name, location, hash, vendor’s certificate, and other parameters to 
determine whether this software can be run. Windows’ built-in tools provide basic 
application control capabilities. However, they do not provide the means for centralized 
monitoring and management of application execution. 

NIST SP 800-53 rev4 recommendations on policies, procedures, and 
implementation include: 

• CM-8 “Information System Component Inventory,” 

• CM-10 “Software Usage Restrictions,” and 

• CM-11 “User-installed Software.” 

Related publications and resources include: 

• NIST SP 800-167 “Guide to Application Whitelisting” and 

• NIST SP 1800-5 “IT Asset Management Practice Guide.” 
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H. ESTABLISH SYSTEMATIC OPERATING SYSTEM PATCHING BY 

DEPLOYING UPDATE SERVER 

This is a Prevention security control. 

1. Description 

A patch is the change introduced into a piece of programming in order to fix 
discovered security or functionality issues, or to add new functionality. NIST defines 
patch management as “the process for identifying, acquiring, installing, and verifying 
patches for products and systems” [76]. The intent of security patching is to correct 
security flaws in software and firmware and in this way to mitigate software 
vulnerabilities. Performing security patching in a systematic and timely manner (the 
higher vulnerability to be patched—the higher the priority) can significantly reduce the 
risk of exploitation. On the contrary, delays in implementing already released updates 
increase the risk of successful exploitation of the vulnerable software. After a security 
patch release, information about a discovered software vulnerability becomes publicly 
available. According to the Microsoft publications, many successful attacks using 
security flaws are performed a short time after such security update releases [77]. 

These updates are usually developed and released by software vendors for no 
additional cost to users. This release is typically conducted on a periodic basis. For 
instance, Microsoft releases patches for the Windows operating system every Tuesday. 
However, security updates for very critical vulnerabilities discovered might be done 
earlier than a typical schedule. According to SANS, “Any significant delays in finding or 
fixing software with dangerous vulnerabilities provides ample opportunity for persistent 
attackers to break through, gaining control over the vulnerable machines and getting 
access to the sensitive data they contain” [78]. 

2. Justification 

This subsection indicates the position of similar security controls in other top-lists 
and provides justification for selecting this security control based on its ROI. 
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a. Position of Similar Security Control in the Industry Recommended 
“Top-lists” 

• 4 th position in the “The CIS Critical Security Controls for Effective Cyber 
Defense” (SANS CIS). 

• 3 rd position in the “Strategies to Mitigate Targeted Cyber Intrusions” 
(ASCS). 

• 9 th position in the “IAD’s Top 10 Information Mitigation Assurance 
Strategies” (NSA IAD). 

• 2 nd position in the “10 Steps to Cyber Security” (UK NCSC). 

• Not included in the “10 Basic Cybersecurity Measures. Best Practices to 
Reduce Exploitable Weaknesses and Attacks” (Water-ISAC SIC, ICS- 
CERT, FBI). 

b. Return 

Implementation of this security control can significantly decrease the number of 
successful exploitations of systems and application vulnerabilities. According to the 
Center for Strategic and International Studies report, 75% of attacks could be prevented 
by regularly deploying patches [53]. The Common Vulnerabilities and Exposures 
database, which contains information on publicly known vulnerabilities, demonstrates 
that operating systems can have many vulnerabilities. For instance, the Windows 7 
operating system which, despite being designed with serious consideration of security, 
still has hundreds of vulnerabilities of various types discovered every year (Figure 4). 
Most, if not all, of these vulnerabilities can be fixed by timely patching; otherwise, they 
will be exploited by attackers. Some of these vulnerabilities can lead to high criticality 
incidents that can potentially jeopardize mission accomplishment. 
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Vulnerabilities By Year 


Vulnerabilities By Type 



2009 15 

2010 64 
■ 2011 102 

■ 2012 44 

2013 99 
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2015 147 

■ 2016 134 

■ 2017 1 
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H Denial of Service 75 
H Execute Code 192 

■ Overflow 91 
Memory Corruption 47 

■ xSS 3 

I Bypass Something 52 
Gain Information 57 
I Gain Privilege 319 
Directory Traversal 2 


Windows 7 operating system has numerous vulnerabilities that can be patched, otherwise 
exploited by attackers. Details: Microsoft Windows 7 Vulnerability Statistics. 

Figure 4. Windows 7 Vulnerability Overview. Source: [79]. 


c. Investment 

• Initial investments—requires purchasing and deployment of a dedicated 
update server with Windows Server operating system. 

• Implementation time— medium (up to four weeks). 

• Maintenance—does not require paid subscriptions or licenses. Does not 
require significant staff involvement. 

• User resistance—while implementing the control, the technical personnel 
will probably encounter low user resistance, as it does not affect user 
experience and usability. 

• Personnel training—requires a short-time training (two weeks) on the 
Windows Server Update Service (WSUS) deployment and configuration 
for technical personnel implementing the security control. 

3. Recommendations 

Patch management can be implemented with Microsoft features (i.e., WSUS) and 
free services (i.e., Windows Update) well integrated with Microsoft Active Directory 
architecture. Third-party software provides additional features and functionality. 
However, it requires higher initial investments and paid annual licenses. 

NIST SP 800-53 rev4 recommendations on policies, procedures, and 
implementation include SI-2 “Flaw Remediation.” 

Related publications and resources include: 
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• NIST SP 800-40 rev3 “Guide to Enterprise Patch Management 

Technologies” and 

• Microsoft TechNet publication “Windows Server Update Services 

Overview.” 

I. PERFORM USER ACTIVITY MONITORING AND SYSTEMATIC 

AUDIT BY IMPLEMENTING GROUP SECURITY POLICIES 

This control is a Deterrence and Detection security control. 

1. Description 

User activity monitoring is the security practice of monitoring and recording 
actions executed by users on the computer system. Monitored activities can include 
access to sensitive information, file/object operations (creation/modification/deletion), 
logon/logoff events, use of applications, access to network resources and services, etc. 
User activity monitoring and audits should not cover all resources and activities as this 
could result in generating too much data, including myriad benign audit entries that offer 
little in the way of true-positive detection of malicious activity. This, in turn, could 
overwhelm an auditor and hinder his/her ability to identify truly malicious activities. 
Thus, monitoring and audit should include only the most critical events and objects. 
Special attention should be paid to privileged permissions used by administrator 
accounts, as such activities, if misused, can cause the most damage. The following 
administrative activities are good examples of what should be audited: security policy 
modification or cancelation, creation of new administrator or user accounts, changing 
access permissions for folders and files with sensitive information, failed logons to the 
administrator accounts, clearing of the audit logs, and stoppage of any security control. 

2. Justification 

This subsection indicates the position of similar security controls in other top-lists 
and provides justification for selecting this security control based on its ROI. 
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a. Position of Similar Security Control in the Industry Recommended 
“Top-lists” 

• 6 th position in the “The CIS Critical Security Controls for Effective Cyber 
Defense” (SANS CIS). 

• 6 th position in the “Strategies to Mitigate Targeted Cyber Intrusions” 
(ASCS). 

• Not included in the “IAD’s Top 10 Information Mitigation Assurance 
Strategies” (NSA IAD). 

• 7 th position in the “10 Steps to Cyber Security” (UK NCSC). 

• 4 th position in the “10 Basic Cybersecurity Measures. Best Practices to 
Reduce Exploitable Weaknesses and Attacks” (Water-ISAC SIC, ICS- 
CERT, FBI). 

b. Return 

Account monitoring and audit is a powerful tool to enhance the security of an 
organization. This security control supports accountability and acceptable use policy. For 
instance, if users are aware that they are being monitored, the risk of detection and 
corresponding punishment make policy violations or irresponsible behavior less likely. 
Thus, user activity audit and monitoring is a powerful factor for deterring users from 
violating security policies. In this way it can be a mitigation factor against an insider 
threat. And insiders, according to the Intel report, were responsible for 43% of data loss, 
and 50% of these accidents were intentional [80]. 

This security control can also be used for other various purposes, such us incident 
investigation, computer forensics, security policy compliance, and troubleshooting. 
Audits are also used for detection of suspicious behavior, to identify and mitigate flaws in 
security mechanisms implemented. 

c. Investment 

• Initial investments— No additional equipment or software purchasing 
required. 

• Implementation time— medium (up to four weeks). 
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• Maintenance—does not require paid subscriptions or licenses. Requires 
significant staff involvement for continuous audit activities. 

• User resistance—while implementing the control, technical personnel will 
likely encounter low user resistance as it does not affect user experience 
and usability. 

• Personnel training—requires a short-time training (two weeks) on the 
Advanced Security Audit policy settings for technical personnel 
implementing the security control. 

3. Recommendations 

The Windows operating system provides a logging functionality to establish a 
tracking system that can record information about system and security events associated 
with potential violations and harmful behaviors. User activity monitoring and account 
audit can be implemented through the Advanced Security Audit policy settings. This 
WGP feature contains 53 different audit settings on audit events for specific activities and 
events. For planning purposes, it is necessary to identify the unit’s most critical resources 
and the most important activities that need to be tracked. This typically includes the 
changes to security policies, changes to user accounts, use of administrative privileges, 
successful and unsuccessful logon events, modification of certain files and folders, etc. 

For legal purposes, the informational disclaimer should be displayed after every 
logon. The disclaimer should contain a warning that user activities on this governmental 
system are being monitored according to the security policy. 

NIST SP 800-53 rev4 recommendations on policies, procedures, and 
implementation include: 

• AC-2 “Account Management,” 

• AC-3 “Access Enforcement,” 

• AC-7 “Unsuccessful Logon Attempts,” and 

• SI-4 “Information System Monitoring.” 

Related publications and resources include: 

• NIST SP 800-92 “Guide to Computer Security Log Management” and 
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• Microsoft TechNet publication “Audit data and user activity.” 

J. PREVENT UNAUTHORIZED DEVICES FROM GETTING NETWORK 

ACCESS BY DEPLOYING AAA-SERVER 

This is a Prevention and Detection security control. 

1. Description 

Personal devices connected to an organization’s operational network can result in 
access vectors for attackers, as personal devices often have unpatched software, out-of- 
date antimalware, and improper security settings that are easy to exploit. Thus, only 
authorized devices that are compliant with an organization’s security policy should be 
permitted to connect to the network. Preventing access to the network by unauthorized 
devices is usually enforced through network access control or network admission control 
(NAC) solutions. 

NAC typically includes the identification of the device, authorization and a check 
for compliance with security policy. However, this security control does not consider the 
last component, as a security compliance check requires the deployment of dedicated 
servers and configuring complex decision delegation schemes. Authentication and 
authorization components can by implemented by deploying an AAA server 
(authentication, authorization, and accounting) that handles user requests for access to 
network resources. 

According to NIST SP 800-53 rev4, device identification is typically performed 
using MAC-address and IP-address authentication—by IEEE 802. lx and Kerberos 
protocols and remote authentication dial-in user service (RADIUS) server. The current de 
facto standard used for interaction between devices and an AAA server is RADIUS. This 
service is integrated on Windows Server operating systems as the Network Policy Server 
as a component of Network Policy and Access Services. 

2. Justification 

This subsection indicates the position of similar security controls in other top-lists 
and provides justification for selecting this security control based on its ROI. 
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a. Position of Similar Security Control in the Industry Recommended 
“Top-lists” 

• 1 st position in the “The CIS Critical Security Controls for Effective Cyber 
Defense” (SANS CIS). 

• Not included in the “Strategies to Mitigate Targeted Cyber Intrusions” 
(ASCS). 

• 10 th position in the “IAD’s Top 10 Information Mitigation Assurance 
Strategies” (NSA IAD). 

• 3 rd position in the “10 Steps to Cyber Security” (UK NCSC). 

• Not included in the “10 Basic Cybersecurity Measures. Best Practices to 
Reduce Exploitable Weaknesses and Attacks” (Water-ISAC SIC, ICS- 
CERT, FBI). 

b. Return 

NAC is a fundamental security control. Failure to perform NAC can potentially 
diminish the effectiveness of other security controls and protection mechanisms. It is a 
difficult task to protect the network when a vulnerable or infected device can be 
introduced to the network unseen. Moreover, providing uncontrolled network admission 
can result eventually in a malicious insider connecting a personal device loaded with 
tools to perform attacks from within a defensive perimeter. By implementing even a basic 
“go/no-go” solution, NAC can effectively limit the possibility of such cyber incidents 
from occurring. 

SANS, in its white paper on NAC, highlights that the deployment of NAC allows 
IT-teams to “more readily track assets, see possible issues and address potential 
violations” [81]. Organizations that have implemented advanced NAC solutions, 
according to the research of ForeScout on the effectiveness of NAC, “experience 50% 
fewer network-related security breaches” [82]. Also the research indicates that 
deployment of NAC results in identifying 24% more of the devices on the organization’s 
network. 
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c. Investment 

• Initial investments—requires purchasing and deployment of a dedicated 
AAA server. 

• Implementation time— significant (up to two months), requires 
reconfiguring all network access switches. 

• Maintenance—does not require paid subscriptions or licenses. Requires 
low staff involvement. 

• User resistance—while implementing the control, technical personnel will 
likely encounter medium user resistance as it constraints BYOD-approach. 

• Personnel training—may require a vendor-specific short-time training 
(two weeks) on the Configuring the RADIUS and TACACS+ protocols for 
technical personnel implementing the security control. 

3. Recommendations 

This security control can be implemented by deploying various network access 
control technologies. For instance, Microsoft provides Network Access Protection 
platform and protocols. According to Chris Boscolo, one key benefit of NAP is that it can 
receive and process information from most antimalware applications via the Windows 
Security Center [83]. Cisco has the Network Admission Control Framework that provides 
numerous tools and protocols that can comprehensively mitigate threats related with 
unauthorized device connection issues. Cisco’s NAC allows network access only to 
security policy compliant devices and restricts the access of noncompliant ones. 

NIST SP 800-53 rev4 recommendations on policies, procedures, and 
implementation include: 

• IA-3 “Device Identification and Authentication” and 

• CM-8 “Information System Component Inventory.” 

Related publications and resources include: 

• Microsoft TechNet publication “Network Policy Server” and 

• Cisco publication “Network Admission Control Framework Deployment 
Guide.” 
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K. ENHANCE BOUNDARY DEFENSE BY CONFIGURING ACCESS FISTS 

ON THE BORDER AND INNER ROUTERS 

This is a Prevention and Detection security control. 

1. Description 

Routers and switches, the devices that transport data across and between 
networks, are fundamental components of modem network topologies. These devices are 
also targets for numerous cyber attacks. However, properly configured routers can 
become the first layer of defense from external attack by performing basic traffic 
filtering. One of the main security features most routers and switches can implement is 
the access control lists (ACL) feature. Cisco defines ACL as a set of rules that specifies 
conditions that a packet must satisfy to match the rule [84]. 

An ACL can be applied to each of the routers’ interfaces to filter both inbound 
and outbound traffic going through the interface. Most network equipment vendors 
provide two types of ACLs, standard and extended. Standard ACL provides a means to 
permit or deny traffic based on specific source address. Extended ACL provides more 
flexible filtering rules using both the source and destination address and the port number 
and protocol. The following list from Cisco provides some filtering options available in 
modem routers: 

• Layer 4 protocol, 

• TCP and UDP ports, 

• ICMP types and codes, 

• IGMP types, 

• Precedence level, 

• Differentiated Services Code Point (DSCP) value, 

• TCP packets with the ACK, FIN, PSH, RST, SYN, or URG bit set, 

• Established TCP connections. [84] 

Even though router ACLs provide rather basic traffic-based security filtering, they 
form an important first layer in the “defense in depth” approach. SANS explains this 
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principle as applying many different security mechanisms instead of one. Thus, if one 
network defense layer is breached, an attacker still needs to overcome all other defense 
layers [85]. 

2. Justification 

This subsection indicates the position of similar security controls in other top-lists 
and provides justification for selecting this security control based on its ROI. 

a. Position of Similar Security Control in the Industry Recommended 

Top-lists” 

• 9 th and 11 th positions in the “The CIS Critical Security Controls for 
Effective Cyber Defense” (SANS CIS). 

• 12 th and 13 th positions in the “Strategies to Mitigate Targeted Cyber 
Intrusions” (ASCS). 

• 10 th position in the “IAD’s Top 10 Information Mitigation Assurance 
Strategies” (NSA IAD). 

• 10 th position in the “10 Steps to Cyber Security” (UK NCSC). 

• 2 nd position in the “10 Basic Cybersecurity Measures. Best Practices to 
Reduce Exploitable Weaknesses and Attacks” (Water-ISAC SIC, ICS- 
CERT, FBI). 

b. Return 

Implementation of this control can protect the router itself from numerous threats 

and also can provide protection of inner network components placed behind the router. 

For instance, Cisco routers have ACLs that provide flexible options to mitigate a variety 

of cyber threats. This includes exploits that require specific network ports, DDoS attacks, 

and the basic mitigation of application-level attacks. Routers with configured ACLs face 

and reject unnecessary and unwanted traffic before other network security solutions. In 

this way ACLs can significantly decrease the number of security events generated by IDS 

and IPS solutions, thus decreasing the number of event logs recorded. Implementing 

ACLs does not require investments in purchasing equipment, as routers are already 

deployed. However, implementing ACLs require time and skills to develop filtering 

rules, configure them, verify their correctness and effectiveness. All in all, ACLs, 
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configured on deployed routers, can provide defenders with the means to create another 
layer of defense by establishing network segmentation. Network segmentation is a 
security technique that divides a network into separate segments based on their trust level 
and functions in accordance with POLP. For example, for data leakage prevention 
purposes, ACLs can reject all Web traffic from a high-security network that is attempting 
to be routed to the Internet. 

The ACL is also a key concept and main technique used in the deployment of 
firewalls; i.e., identify the metrics of particular traffic that should or should not be 
permitted to cross a given network interface, then craft an appropriate rule to filter such 
traffic accordingly. In the perspective of ROI-based selection of security controls, this 
control has a very low investment denominator as compared to more expensive and 
complex dedicated firewall appliances. Firewalls provide more advanced ACL-based 
protection, and they have better performance on filtering tasks than do routers that were 
not inherently designed for such additional tasking. However, configuring ACLs on 
routers and compatible switches does not require any upfront spending. Routers and 
switches form network and internetworks, so they are already a necessary and intregral 
part of an organization’s IT infrastructure. This is in contrast to firewalls that require 
purchasing devices separately, as well as the added involvement of staff for their proper 
deployment. 


c. Investment 

• Initial investments—requires no additional equipment or software 
purchasing. 

• Implementation time —medium (up to four weeks); requires reconfiguring 
all routers and compatible switches. 

• Maintenance—does not require paid subscriptions or licenses. Requires 
low staff involvement. 

• User resistance—while implementing the control, technical personnel will 
likely encounter high user resistance as it may significantly constraint 
users’ access to entertainment Internet resources. 
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• Personnel training—may require a vendor-specific short-time training 
(two weeks) on the Configuring the ACLs on routers and switches for 
technical personnel implementing the security control. 

3. Recommendations 

Implementation of this security control requires careful preparation and listing of 
services required for the host organization’s missions. Each service requires certain 
network ports and protocols to be allowed to pass from one network to the next. These 
specifics should be listed by technical personnel during the implementation, as this data is 
a necessary precondition for creating appropriate rulesets. There are two opposite basic 
strategies for rule creating: “whitelisting” (only permit what is necessary) and 
“blacklisting” (only deny what is known to be bad). Blacklisting may be not reliable as it 
is nearly impossible to create rules blocking all possible threats. A network port that is 
safe, and thus not blocked today, might be used tomorrow by a new type of malware. 
NIST SP 800-53 rev4 recommends implementing boundary protection with a strategy of 
“DENY BY DEFAULT / ALLOW BY EXCEPTION” [7], Basically, if the content is not 
explicitly allowed by an ACL rule, the traffic will be rejected by the router. Such an 
approach is much easier to manage and implement than “blacklisting.” With the “deny by 
default” approach, technical personnel have to manage only a small list of the specifically 
permitted rules. Furthermore, defenders do not have to constantly create new filtering 
rules to block recently discovered threats. 

NIST SP 800-53 rev4 recommendations on policies, procedures, and 
implementation include: 

• SC-7 “Boundary Protection” and 

• AC-4 “Information Flow Enforcement” 

Related publications and resources include: 

• NIST SP 800-41 “Guidelines on Firewalls and Firewall Policy,” 

• NSA System and Network Attack Center publication “Router Security 
Configuration Guide,” and 

• Cisco publication “Protecting Your Core: Infrastructure Protection Access 
Control Lists.” 
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L. IMPROVE INCIDENT RESPONSE CAPABILITY BY DEVELOPING 
INCIDENT HANDLING PROGRAM 

This is a Deterrence, Prevention, Detection, and Recovery control security 

control. 


1. Description 

For virtually every network connected to the Internet, the occurrence of a cyber 
security incident is a matter of not “if,” but “when.” Incidents can have various levels of 
impact on the mission. UK NCSC recommends managing and analyzing all security 
incidents, especially "... those serious enough to warrant invoking the organization’s 
business continuity or disaster recovery plans. Some incidents can, on further analysis, be 
indicative of more severe underlying problems” [86]. According to the Information 
Technology Infrastructure Library, one of the best practices framework in the IT sphere, 
the two primary objectives of incident management are quickly recovering normal 
service and minimizing adverse impact [87]. UK NCSC in its guidelines on cyber 
security highlights that failure to manage incidents may lead to more severe impact, and a 
failure to address the root cause of a security incident can result in repetitive or even 
continuous compromise [86]. 

The heart of any cyber incident response capability is an incident handling 
program. A directive (CJCSM 6510.01B) on the “Cyber Incident Handling Program” 
from the Chairman of the Joint Chiefs of Staff Manual emphasizes that, “this program 
ensures an integrated capability to continually improve the Department of Defense’s 
ability to rapidly identify and respond to cyber incidents that adversely affect DOD 
information networks and information systems (ISs)” [88]. The incident handling 
program should be reflected in the set of policies, guidance, manuals, and technical 
instructions. This document should provide comprehensive information on handling 
processes and procedures. Development of the program should be based on the Manual’s 
recommended cyber incident handling process phases (cycle), which include: 

1. Detection of events. 

2. Preliminary analysis and identification of incidents. 
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3. Preliminary response actions. 

4. Incident analysis. 

5. Response and recovery. 

6. Post-incident analysis. [88] 

2. Justification 

This subsection indicates the position of similar security controls in other top-lists 
and provides justification for selecting this security control based on its ROI. 

a. Position of Similar Security Control in the Industry Recommended 
“Top-lists” 

• 19 st position in the “The CIS Critical Security Controls for Effective 
Cyber Defense” (SANS CIS). 

• Not included in the “Strategies to Mitigate Targeted Cyber Intrusions” 
(ASCS). 

• Not included in the “IAD’s Top 10 Information Mitigation Assurance 
Strategies” (NSA IAD). 

• 6 th position in the “10 Steps to Cyber Security” (UK NCSC). 

• 10 th position in the “10 Basic Cybersecurity Measures. Best Practices to 
Reduce Exploitable Weaknesses and Attacks” (Water-ISAC SIC, ICS- 
CERT, FBI). 

b. Return 

The Information Technology Infrastructure Library lists the following major 
benefits of implementing an incident management process. 

For the business as a whole, benefits include: 

• reduced business impact of incidents by timely resolution, thereby 
increasing effectiveness; 

• the proactive identification of beneficial system enhancements and 
amendments; and 

• the availability of business-focused management information related to the 
service level agreement. 
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For the IT team in particular, benefits include: 


• improved monitoring, allowing performance against service-level 
agreements to be accurately measured; 

• improved management information on aspects of service quality; 

• better staff utilization, leading to greater efficiency; 

• elimination of lost or incorrect Incidents and service requests; 

• more accurate configuration management database information (giving an 
ongoing audit while registering Incidents); and 

• improved user and customer satisfaction. [89] 

The Information Technology Infrastructure Library also highlights potential risks 
that can result from failing to establish incident management: 

• no one to manage and escalate Incidents - hence Incidents may become 
more severe than necessary and adversely affect IT service quality; 

• specialist support staff being subject to constant interruptions, making 
them less effective; 

• business staff being disrupted as people ask their colleagues for advice; 

• lack of coordinated management information; and 

• lost, or incorrectly, or badly managed Incidents. [89] 

c. Investment 

• Initial investments—requires no additional equipment or software 
purchasing. 

• Implementation time— significant (up to six months). 

• Maintenance—does not require paid subscriptions or licenses. Requires 
low staff involvement. 

• User resistance—while implementing the control, technical personnel will 
likely encounter low user resistance as it does not affect user experience 
and usability. 

• Personnel training—may require a training (one to two months) on the 
Development of cyber incident handling program for management 
personnel implementing the security control. 
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3. 


Recommendations 


In the framework of rapid cyber capability development, initial efforts should be 
focused on the development of incident triage procedures. After development, 
implementation and testing of the triage flow, escalation criteria, policies, plans, and 
procedures should be developed. Various publicly available incident management 
frameworks can be used as the basis for the development of an incident handling 
program. We suggest using the recommendation of NIST SP 800-61 rev2 “Computer 
Security Incident Handling Guide.” The guide provides a comprehensive and systematic 
approach in this matter, and—as an added benefit—is integrated with other NIST special 
publications (SPs) that are recommended by this report (e.g., SP 800-53). 

The structure of primary documents of an incident handling program, as 
recommended by NIST SP 800-61 rev2, are listed here by category. 

Policy structure: 

1. Statement of management commitment. 

2. Purpose and objectives of the policy. 

3. Scope of the policy (to whom and what it applies and under what 
circumstances). 

4. Definition of computer security incidents and related terms. 

5. Organizational structure and definition of roles, responsibilities, and levels 
of authority. 

6. Prioritization or severity ratings of incidents. 

7. Performance measures. 

8. Reporting and contact form. [90] 

Incident response plan structure: 

1. Mission. 

2. Strategies and goals. 

3. Senior management approval. 

4. Organizational approach to incident response. 
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5 . 


How the incident response team will communicate with the rest of the 
organization and with other organizations. 


6. Metrics for measuring the incident response capability and its 
effectiveness. 

7. Roadmap for maturing the incident response capability. 

8. How the program fits into the overall organization. [90] 

NIST SP 800-53 rev4 recommendations on policies, procedures, and 
implementation include: 

• IR-1 “Incident Policies and Procedures,” 

• IR-4 “Incident Handling,” 

• IR-5 “Incident Monitoring,” 

• IR-6 “Incident Reporting,” and 

• IR-8 “Incident Response Plan.” 

Related publications and resources include: 

• NIST SP 800-61 rev2 “Computer Security Incident Handling Guide” and 

• Chairman of the Joint Chiefs of Staff Manual on “Cyber incident handling 
program” (CJCSM 6510.01B). 

M. ESTABLISH SECURE CONFIGURED WORKSTATION BASELINES BY 
IMPLEMENTING SECURITY TECHNICAL IMPLEMENTATION 
GUIDES 

This is a Prevention security control. 

1. Description 

Computer systems, specifically workstations, as delivered by manufacturers, are 
typically configured from a usability perspective, rather than from a security perspective. 
For example, workstations might have unnecessary preinstalled software or services, 
have weak or even default passwords, have not installed antimalware software, etc. All 
these issues may make the workstation easier to use, but also increase the target surface 
area. A single new, improperly configured system can be used as an infiltration point by 
attackers. 
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Thus, computer systems, particularly those networked with other systems of equal 
or greater criticality to an organization, should be configured according to some pre- 
established security configuration baseline. Such baselines should be determined based 
on the fundamental security principles (POLP, reduce the attack surface area, etc.) using 
publicly developed, vetted, and supported configuration guides. Such baselines should 
describe the hardened profile of the operating system, and of any applications installed. A 
securely configured system should then be imaged and stored on a hidden logical disk 
drive or separate media. Typically the baseline image is used when a new workstation is 
put in place or for re-imaging of new workstations, or when an existing system is, or is 
expected to be, compromised. 

2. Justification 

This subsection indicates the position of similar security controls in other top-lists 
and provides justification for selecting this security control based on its ROI. 

a. Position of Similar Security Control in the Industry Recommended 
“Top-lists” 

• 3 rd position in the “The CIS Critical Security Controls for Effective Cyber 
Defense” (SANS CIS). 

• 5 th position “Strategies to Mitigate Targeted Cyber Intrusions” (ASCS). 

• 7 th position in the “IAD’s Top 10 Information Mitigation Assurance 
Strategies” (NSA IAD). 

• 2 nd position in the “10 Steps to Cyber Security” (UK NCSC). 

• Not included in the “10 Basic Cybersecurity Measures. Best Practices to 
Reduce Exploitable Weaknesses and Attacks” (Water-ISAC SIC, ICS- 
CERT, FBI). 

b. Return 

From a preventive perspective, enforcement of fundamental security techniques 
can close avenues of attack for many threats. The Defense Information Systems Agency 
(DISA) maintains case studies that show that the implementation of security 
configurations and hardening techniques can have an outstanding effect on security. For 
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instance, DISA internal analysis claims that “over 96% of cyber incidents could have 
been prevented if STIGS were applied” [91]. This is a rather profound statistic, and is 
indicative of a very large “R” numerator in the ROI calculus used to determine the “best” 
security controls for rapid improvement to an organization’s security posture. 

An imaged system can be very handy when preventive controls fail. For example, 
when an attacker has gained a root-level access, the whole system should be reimaged to 
the securely configured (i.e., “STIG’ed”) clean version. Having such images ready, 
would make this procedure relatively easy and fast to complete. Additionally, in many 
cases this can be performed remotely. 

c. Investment 

• Initial investments—requires no additional equipment or software 
purchasing. 

• Implementation time —long (up to two months). 

• Maintenance—does not require paid subscriptions or licenses. Requires 

medium staff involvement for periodical review of baseline configurations 
and applying patches. 

• User resistance—while implementing, the control technical personnel will 
likely encounter low user resistance. 

• Personnel training—requires no additional training for technical personnel 
implementing the security control. 

3. Recommendations 

This security control can be implemented using commercial or free configuration 
tools, which provide the means to set established configurations, check the settings of 
operating systems and applications for compliance. Configuration management tools 
usually use a combination of agent-based or agentless approaches. Specific settings and 
configuration guidelines can be found in industry recommended standards and guides, 
like DISA’s Security Technical Implementation Guides (STIGs), the Center for Internet 
Security Benchmarks Program, and the NIST National Checklist Program, etc. The 
baseline-configured system should be imaged, validated, and checked for vulnerabilities. 
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Best practices require that baseline configurations and corresponding images 
should be validated and newly released patches applied to the operating system and 
installed applications on a regular basis. Baseline images should be stored on dedicated 
protected repository/back-up servers, or in offline workstations that are highly isolated 
from the main network. To ensure that only authorized modifications are introduced to 
the baselines, they should be validated with integrity checking and change management 
tools. 

NIST SP 800-53 rev4 recommendations on policies, procedures, and 
implementation include: 

• CM-2 “Baseline Configuration,” 

• CM-3 “Configuration Change Control,” 

• CM-6 “Configuration Settings,” 

• CM-7 “Least Functionality,” and 

• MA-4 “Nonlocal Maintenance.” 

Related publications and resources include: 

• NIST SP 800-128 “Guide for Security-Focused Configuration 
Management of Information Systems,” 

• NIST SP 800-123 “Guide to General Server Security,” 

• DISA Security Technical Implementation Guides, and 

• NIST security configuration checklist. 
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V. CONCLUSION AND FUTURE WORK 


Cyber espionage campaigns as well as disruptive cyber attacks have become very 
powerful and covert tools used by some countries to gain strategic advantage over their 
opponents. Intensive usage of cyber offensive capabilities in recent geopolitical conflicts, 
along with the rapidly expanding cyber threats landscape, requires intensification of the 
development of defensive cyber capabilities. In the circumstances of an ongoing military 
conflict, the resources and time available for such development is very restricted. Given 
this situation, the question that needs answering is: Given limited resources (financial, 
human, and time), what are the “top 13” (or so) best security controls available to help 
mitigate current state-supported military cyber threats? This research set about answering 
that question in a methodical way. 

To establish a common language and discourse, Chapter II of this work covered 
some of the most important concepts and practices of cyber security. Cyber security can 
be achieved by the implementation of multiple security controls that, together, form a 
multilayered, defense-in-depth based security architecture. NIST SP 800-53 rev4 was 
identified as our primary reference for potential security controls from which to choose. 
We began our selection after analyzing those security controls occurring most often 
among well-known industry and government security control “top-lists.” Even though all 
of these industry-recommended security controls have the same goal, to enhance cyber 
security by the removal or mitigation of cyber vulnerabilities, they all have slightly 
different emphases, approaches, and levels of abstraction. More importantly, none of 
them truly considers resource restrictions (i.e., the “I” in ROI) as a primary factor for a 
“top” control selection. 

As a model of the network to be secured we have chosen a Windows-based 
network with Active Directory implemented, but without any security mechanisms in 
place. Also we have established metrics for selection of security controls that can provide 
high return with low investments. As our main prioritization factor, we have selected the 
shortest time and least effort needed for implementation; that is, “easiest things first.” As 
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the primary result of this work, we have selected and prioritized the following 13 security 
controls: 

1. Restrict the use of administrative privileges by implementing a group 
security policy. 

2. Enforce a strong password policy (user accounts and emails) by 
implementing a group security policy. 

3. Establish a basic boundary defense by deploying a network intrusion 
prevention system. 

4. Develop basic recovery capability by performing regular backups of 
servers. 

5. Mitigate generic exploit techniques by deploying an enhanced mitigation 
experience toolkit. 

6. Enhance end-point security by deploying a host intrusion prevention 
solution. 

7. Control software execution by implementing application whitelisting. 

8. Establish systematic OS patching by deploying an update server. 

9. Perform user activity monitoring and systematic auditing by implementing 
group security policies. 

10. Prevent unauthorized devices from getting network access by deploying a 
AAA server. 

11. Enhance the boundary defense by configuring access lists on both border 
and intra-border routers. 

12. Improve incident response capability by developing an incident handling 
program. 

13. Establish secure configured workstation baselines by implementing 
STIGs. 

Our top 13 selected security controls are each presented in a standardized format. 
This standard format: a) describes the control; b) contemplates both initial/upfront and 
ongoing maintenance costs; c) presents a subjective analysis of the potential security 
return (i.e., risk reduction); and d) provides general recommendations on each control’s 
implementation. We acknowledge that these security controls, even when implemented 
perfectly, will not guarantee risk-free cyber operations. We do, however, expect that 
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deployment of the security controls on this list will facilitate a relatively rapid 
establishment of a “first line of defense.” Any enterprise-level organization or country 
adopting these controls should enjoy the benefits of advancing their cyber security 
posture from near nothing to something with real defensive merit in relatively short order. 

Some of the security controls presented in our “top 13” list could individually be 
the central topic of a separate, dedicated thesis research owing to their significant 
complexity. For instance, the development of an incident handling program (security 
control #12) could be considered for future work. This work, ideally done by another 
Ukrainian student, could result in the development of a cyber incident handling guide for 
Ukrainian military cyber defense forces. This guide could be modeled after the “Cyber 
Incident Handling Program” (CJCSM 6510.01B) directive drafted by the U.S. Joint 
Chiefs of Staff, but tailored to meet the specific Ukrainian environment. Another thesis 
might consider development of methodology with supportive recommendations for 
implementation of the security control at the 11 th position of this list, “Enhance boundary 
defense by configuring access lists on the border and inner routers.” Each of the 
presented security controls is complex enough to warrant more research, but also that 
they require frequent updating as malicious agents are persistently working to weaken 
network security, degrade network services and access sensitive data. 
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